The findings show that users’ keystroke records are susceptible to decryption by online eavesdroppers, while input typed by users is being transmitted to servers located in mainland China.
The report released on Aug. 9 analyzed Tencent’s Sogou Input Method, which is the most widely used Chinese typing app with over 500 million monthly active users accounting for a 70 percent market share. The application is compatible with multiple platforms including Windows, Android, and iOS, with the vulnerabilities of each version being analyzed in the report.
The researchers pointed out that these issues don’t only affect Chinese writers in China, but also users in other countries. As per Sogou’s market research estimates, the app’s website is visited by users around the world. Around 3.3 percent of the visits come from the United States, nearly 1.8 percent from Taiwan, and over 1.5 percent from Japan.
Following an exchange of correspondence, including a response letter received on July 4, 2023, in which Sogou developers pledged to address the vulnerabilities, The Citizen Lab at the University of Toronto confirmed that the security risks they had identified were rectified across all the platforms by July 20, 2023.
Yet, the researchers highlighted that even though the vulnerabilities have been addressed, the Sogou app continues to send typed content to servers based in China, which raises ongoing security concerns about users’ information potentially being accessible to Chinese authorities.
‘Please Do Not Make It Public’
The Citizen Lab shared its findings with Tencent in a letter dated May 31, 2023. In the document, it provided Sogou developers with a specific time frame to respond to concerns and fix the vulnerabilities uncovered by the researchers before making their findings public.On June 25, The Citizen Lab said it received a message from the Tencent Security Response Centre (TSRC), stating, “There is no low or low-security risk for this issue.” Less than 24 hours later, they got another message correcting the previous one and asking researchers not to share the issue publicly.
“Sorry, my previous reply was wrong, we are dealing with this vulnerability, please do not make it public, thank you very much for your report,” said the TSRC message dated June 25, 2023.
Additionally, upon notifying the Sogou developers of their findings, researchers found that the email domain for The Citizen Lab had been blocked in China, leading to difficulties in receiving correspondence from Tencent.
“Specifically, we found that China’s national firewall injected anomalous DNS [domain name system] replies in response to queries for this domain,” the researchers said. “While this injection behaviour may have been intended to block Chinese users from accessing our website, it also hampers the ability for users in China to email us, even if such an email has been solicited.”
Among their recommendations, the researchers urged Sogou, as well as other software developers in China, to adopt well-supported encryption implementations such as TLS rather than using “homebrew” code design.
“The attacks outlined in this report demonstrate how network eavesdroppers can decipher such data in transit. However, even with the vulnerabilities resolved, such data will still be accessible by Sogou’s operators and by anyone with whom they share the data,” researchers said.
