Researchers have uncovered critical security vulnerabilities in several widely used keyboard apps, including those from major tech giants Samsung, OPPO, Vivo, and Xiaomi.
These flaws could allow network eavesdroppers to intercept and decipher every keystroke a user makes, exposing sensitive personal and financial information.
The Citizen Lab’s comprehensive study focused on the security of cloud-based pinyin keyboard apps from nine different vendors.
The analysis included popular brands such as Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.
Researchers meticulously examined how these apps transmit users’ keystrokes and searched for any vulnerabilities that could be exploited.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
The findings were alarming: eight of the nine vendors had apps vulnerable to interception.
Keystrokes Capture
This means that an attacker could potentially capture everything a user types, including passwords, credit card numbers, private messages, and more, with relatively minimal effort.
The only vendor whose keyboard app was found without such vulnerabilities was Huawei.
According to The Citizen Lab, the vulnerabilities discovered could affect up to one billion users worldwide, given the popularity of the affected keyboard apps.
| Vendor | App Name | Vulnerability Description | Potential Impact | User Base Affected |
|---|---|---|---|---|
| Samsung | Samsung Keyboard | Unencrypted data transmission | Exposure of all keystrokes | Hundreds of millions |
| OPPO | OPPO Keyboard | Weak encryption methods | Easy interception of typed data | Tens of millions |
| Vivo | Vivo Keyboard | No encryption in certain scenarios | Direct access to keystrokes | Tens of millions |
| Xiaomi | Xiaomi Keyboard | Inconsistent encryption | Periodic exposure of keystrokes | Hundreds of millions |
| Baidu | Baidu Keyboard | Unencrypted data transmission | Complete access to typed information | Hundreds of millions |
| Honor | Honor Keyboard | Weak encryption methods | Potential decryption of sensitive data | Tens of millions |
| iFlytek | iFlytek Keyboard | No encryption for specific data types | Exposure of passwords and private messages | Millions |
| Tencent | Tencent Keyboard | Inadequate security protocols | Interceptable personal and financial data | Hundreds of millions |
| Huawei | Huawei Keyboard | No vulnerabilities found | N/A | N/A |
The ease with which these vulnerabilities can be exploited makes it a significant concern, mainly since keyboard apps are used for entering some of the most sensitive information on a device.
The report also highlighted that this is not an isolated issue. Previous analyses have shown similar vulnerabilities in other Chinese apps, and there have been instances where such weaknesses were exploited by intelligence agencies, including those from the Five Eyes alliance.
The vulnerabilities primarily involve the improper or unsecured transmission of keystroke data to cloud servers.
This data transmission, ideally encrypted, appears to be either poorly implemented or completely unencrypted in the cases mentioned, allowing anyone with the right tools and access to the network to intercept the data easily.
In light of these findings, The Citizen Lab has urged all affected companies to address these security flaws promptly.
Users of the implicated keyboard apps are advised to update their apps as soon as patches are available. In the meantime, switching to alternative keyboard apps that prioritize security might be wise.
The report has already prompted responses from several of the companies involved. Samsung, OPPO, Vivo, and Xiaomi have all acknowledged the issue and have announced that they are working on updates to fix the vulnerabilities.
The companies except Baidu, Vivo, and Xiaomi responded to our disclosures,” Citizenlab said.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.