A new report coauthored by CITP graduate student Mona Wang, an expert in digital privacy and security, has revealed that millions of people who use the Sogou Keyboard have been exposed to the network eavesdropping on their personal conversations.

Drawing of a person's right hand texting on a device, against a green background.

Credit: The Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto

Wang and fellow researchers Jeffrey Knockel and Zoë Reichert at the University of Toronto’s Citizen Lab analyzed the Sogou Input Method – designed by the Chinese internet company Tencent – on Windows, Android and iOS devices as part of an ongoing project to study privacy and security on mobile and desktop devices. They called their findings “disturbing.”

“We found that the Windows and Android versions of Sogou Input Method contain vulnerabilities in this encryption system, including a vulnerability to a CBC padding oracle attack, which allow network eavesdroppers to recover the plaintext of encrypted network transmissions, revealing sensitive information including what users have typed,” they wrote.

Wang and her coauthors alerted the developers, who released fixed versions in late July, but they are urging users to update to the most recent version of the app immediately. Wang also noted that such vulnerabilities have a history, and far-reaching implications.

“It is concerning that these applications have access to our keystrokes, but it is even more concerning that third parties can also access our keystrokes,” she said following the release of the report, “as we know intelligence communities have a history of exploiting these types of encryption vulnerabilities in order to access extremely sensitive data.”

Read their full report, “Please do not make it public” Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping, which includes documents showing the researchers’ letters to the company and the Sogou Pinyin Method Team’s response to the researchers’ finding.

This report is the second in a two-part series in which Wang investigated privacy and security on mobile and desktop devices. The first report, Should We Chat? Privacy in the WeChat Ecosystem, found that WeChat exposes users to privacy violations. Read about it on the CITP news page.