Sogou Input Method

2023: Data breach of 455m users

Sogou Input Method Chinese input software on computers and mobile devices contains dangerous vulnerabilities in the system that enciphering endanger personal data approximately 455 million users. This is stated in the report of the information security organization Citizen Lab, published on August 9, 2023.

Citizen Lab has analyzed Sogou Input Method versions for Windows, Android and iOS platforms. In particular, the encryption mechanism EncryptWall was studied - Sogou's own development (it is a subsidiary of Tencent). It has been found that packets transmitted over the network containing sensitive user data, such as keystroke information, can be decrypted by a third party.

Sogou Input Method software contains dangerous vulnerabilities in the encryption system

The issue affects Sogou Input Method apps for Windows and Android, but not for iOS. The EncryptWall engine is vulnerable to Oracle Padding attacks that exploit CBC (Cipher Block Chaining) encryption features. This ciphertext block coupling mode is one of the coding modes for a symmetric block cipher using a feedback mechanism. A successful attack may result in the interception of user messages.

Keystrokes coming from Sogou Input Method users from around the world are transmitted to servers in mainland China that are under the legal jurisdiction of local government, the researchers note. Therefore, the Chinese authorities may have information from any of the users of the named software. Citizen Lab says the analysis shows how important it is for Chinese software developers to rely on proven encryption implementations like TLS rather than develop their own.^[1]

Notes