HQ/EMEAFind out how we can help your business
Tencent’s Sogou Input Method, a Chinese language input app with more than 400 million monthly users, has shown vulnerabilities that could enable unauthorised individuals to decipher the text typed by a user. The bugged application is available on multiple operating systems, like Windows, Android, and iOS.
According to researchers, the flaws are within the EncryptWall, the service’s customer encryption system that allows unauthenticated users to extract the textual context of the users’ app and access sensitive information.
The researchers also explained that the Windows and Android versions of the app include bugs in the encryption system, such as a vulnerability to a CBC padding oracle. The bug could allow eavesdroppers to retrieve the plaintext of encrypted network transmissions that could reveal sensitive data that users have inputted.
The exploit for the Sogou Input Method begins with CBC, a cryptographic operation mode.
A potential Sogou Input Method application hacker would use cypher block chaining (CBC), a cryptographic operation mode in which each plaintext block is XORed with the past ciphertext block before encryption.
A padding oracle attack could leak data about the received ciphertext since the block cypher works on fixed-size plaintext blocks when decrypted. Hence, an unauthorised user could decrypt a message without an encryption key.
On the other hand, the iOS version of the app was secure against eavesdroppers, but it could have been the most susceptible to attacks since it has a second big in the EncryptWall implementation. The second bug has the first half of the encryption key, which an attacker could recover.
Researchers emphasised that the current issue does not affect Chinese writers in China exclusively since most of the samples came from multiple countries, such as the US, Hong Kong, Taiwan, and Japan.
Fortunately, Tencent has addressed the newly discovered flaw in their Windows, Android, and iOS application after the researchers’ responsible disclosure.
The researchers who found the flaw said that a standard and mature cryptographic protocol with abundant availability and updated support could have easily avoided the vulnerability.
