A popular Chinese text input application, designed for Windows and Android platforms, has been identified with critical encryption deficiencies, potentially enabling unauthorized individuals to decode user-typed content.
The investigation spearheaded by the University of Toronto’s Citizen Lab focused on the encryption framework employed by Tencent’s Sogou Input Method. This app boasts an expansive user base with over 455 million monthly users scattered across Windows, Android, and iOS platforms.
The security lapses trace back to EncryptWall, the unique encryption system of the service. This flaw potentially permits potential attackers to unveil text details and tap into private data.
Researchers from Citizen Lab detailed, “The encryption system in the Windows and Android variants of Sogou Input Method showcases vulnerabilities, inclusive of susceptibility to a CBC padding oracle assault. This enables those snooping on the network to retrieve the actual text of encrypted communications, laying bare sensitive details, notably the content users input.”
CBC, an acronym for Cipher Block Chaining, is an encryption technique where each plaintext block is merged with the previous ciphertext block via an XOR operation before the encryption process commences.
In the realm of cryptography, block ciphers operate on fixed-sized plaintext segments. A padding oracle attack, when employed, can divulge information on whether the received encrypted content, upon decryption, retains valid padding. This opens a window for malevolent entities to decrypt content without possessing the requisite encryption key.
Intriguingly, while the iOS iteration of the Sogou Input Method stood resilient against potential network intrusions, it had been flagged as “the likeliest to be compromised”. This susceptibility stemmed from a secondary flaw within the EncryptWall system, allowing effortless recovery of the initial segment of the encryption key.
The app’s reach isn’t confined to Chinese speakers within mainland China. Data from SimilarWeb indicates a global user footprint, with visitors to the platform’s website – shurufa.sogou[.]com – spanning the U.S., Taiwan, Hong Kong, and Japan.
Tencent has since patched these gaps following their responsible disclosure in May and June 2023. As of the previous month, corrections have been implemented in version 13.7 for Windows, 11.26 for Android, and 11.25 for iOS.
Researchers Jeffrey Knockel, Zoë Reichert, and Mona Wang remarked, “Such vulnerabilities could have been sidestepped effortlessly had the system opted for the tried-and-tested TLS, a globally recognized cryptographic protocol, rather than resorting to in-house cryptographic solutions.