A prevalent Chinese language input app employed on Windows and Android has been discovered to possess severe security vulnerabilities. These loopholes could be exploited by malicious intruders to decode texts typed by its users, thus significantly compromising user privacy.
This alarming revelation comes from the Cybersecurity experts at the University of Toronto's Citizen Lab, who conducted a comprehensive examination of the encryption system leveraged by Tencent's Sogou Input Method app. This particular app enjoys widespread popularity, with a staggering number of over 455 million monthly active users worldwide across the Windows, Android, and iOS platforms.
The security flaws are primarily entrenched in EncryptWall, the encryption system employed by Tencent. These vulnerabilities, worryingly enough, provide eavesdroppers who might lurk on the network an opportunity to decipher the textual material and gain unauthorised access to sensitive data.
According to the researchers' statement, the Sogou Input Method's Windows and Android versions house weaknesses within this encryption system. This includes susceptibility to a CBC padding oracle attack allowing network eavesdroppers to recover the plain text transmissions, thereby disclosing sensitive data involving the material the users have input.
CBC or cipher block chaining operates on a mode of cryptographic function where every plaintext block is XORed with the previous ciphertext block before being encrypted. Given a block cipher operates on a specific size of plaintext blocks, a padding oracle attack could leak data on the validity of received ciphertext's padding post-decryption. This potentially enables a bad actor to decrypt a message without actually possessing the encryption key.
Interestingly enough, the iOS variant of this app was found to be secure against potential network eavesdropping threats, despite having a defect in the EncryptWall system, which could have rather made it the most susceptible to such threats.
Significantly, these issues are not confined only to Chinese users in China. Data from SimilarWeb highlights that users from the U.S., Taiwan, Hong Kong, and Japan also actively visit the app's website, confirming that the threat extends to various regions worldwide. A responsible disclosure was made during May and June 2023 and Tencent has already addressed the issue from their end by releasing updated versions last month.
The researchers, Jeffrey Knockel, Zoë Reichert, and Mona Wang, suggested that such a vulnerability could have been easily averted by using TLS, a more common and mature cryptographic protocol with comprehensive availability and modern support, instead of adopting 'homebrew' cryptography. Even though no cryptographic protocol can be full proof, it's worth mentioning that TLS implementations had already rectified CBC padding oracle attacks back in 2003.
Stay informed with the latest in cybersecurity news by signing up for free. Get invaluable insights and tips, and start protecting your digital presence right away.
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.