Citizen Lab's recent investigation revealed significant security vulnerabilities in various cloud-based pinyin keyboard apps, raising concerns about user privacy risks. Among the nine apps examined, eight displayed weaknesses, including offerings from prominent vendors such as Baidu, iFlytek, Samsung, Tencent, Vivo, and Xiaomi. These vulnerabilities could potentially expose users' keystrokes to malicious entities, facilitating interception and decryption of sensitive information. The identified vulnerabilities encompass a spectrum of issues ranging from cryptographic weaknesses to insecure network transmissions. For instance, Tencent QQ Pinyin is susceptible to a CBC padding oracle attack, whereas Baidu IME suffers from an encryption protocol bug, allowing network eavesdroppers to extract typed text. Furthermore, Samsung Keyboard transmits keystroke data over plain, unencrypted HTTP, heightening the vulnerability risk. While most developers have promptly addressed these vulnerabilities following responsible disclosure, certain preinstalled keyboard apps like those from Xiaomi, OPPO, Vivo, and Honor remain vulnerable. Exploiting these vulnerabilities could enable adversaries to passively decrypt users' keystrokes without detection, potentially compromising their privacy and overall security. To mitigate these risks, users are advised to regularly update apps and operating systems and consider using on-device keyboard apps. Developers should prioritize well-tested encryption protocols and steer clear of custom solutions prone to flaws. Additionally, app store operators should avoid restricting security updates based on location and emphasize compliance with encryption standards.
everal popular Android applications available on the Google Play Store are vulnerable to a path traversal-affiliated vulnerability known as the Dirty Stream attack. This vulnerabil...
The US confirms Russian hackers have breached water systems. They warn North American and European operators about ongoing attempts by pro-Russia activists to infiltrate their tech...
The Simone Veil hospital in Cannes, France, has become the latest target of cybercriminals, with the LockBit ransomware gang claiming to have accessed and published confidential da...