The developers decided not to use ready-made solutions, but did not take into account that their path will be thorny and tortuous.
Popular Chinese text input application "Sogou Input Method" from Tencent, which has an audience of more than 455 million active users, as it turned out, contains vulnerabilities in the encryption system EncryptWall. This allows attackers to decrypt user-entered data and gain access to confidential information.
As researchers from Citizen Lab found out, the Windows and Android versions of the app are vulnerable to a Padding Oracle-type attack. This attack exploits CBC-mode encryption features and allows hackers to recover the plaintext of encrypted network transmissions, revealing sensitive information, including what users typed.
CBC (Cipher Block Chaining) is an encryption mode in which each plaintext block is linked to the previous encrypted block before encryption. A Padding Oracle CBC attack allows an attacker to decrypt a message without knowing the encryption key used.
Despite the fact that the iOS version of the Sogou app was found to be protected from network eavesdropping, it is not without another flaw in the implementation of EncryptWall, in which the first half of the encryption key can be easily restored, which also allows attackers to decrypt and get hold of user data.
According to the researchers, using the popular TLS protocol instead of native cryptography would help developers avoid such problems. After responsible disclosure of the vulnerability, the problem was fixed by Tencent specialists in versions of the Sogou app 13.7 (Windows), 11.26 (Android) and 11.25 (iOS), but the fact remains.
The problem affected not only users from China. Citizen Lab statistics show that the app is also popular in the United States, Taiwan, Hong Kong, and Japan. Thus, the vulnerability has long been a threat to millions of users around the world. And it can continue to pose a threat if users don't update to the latest version of the app.
The disclosure of vulnerabilities in the Sogou Input Method coincided with the discovery of two critical vulnerabilities that we discussed yesterday. The vulnerabilities are related to the implementation method of MPC cryptographic protocols used in cryptocurrency wallets. Identified security flaws can also lead to the leakage of confidential data.
Experts note that software vendors should take a more responsible approach to implementing cryptographic solutions and thoroughly test them for vulnerabilities before implementing them in their applications.
Using well-established and well-studied cryptographic protocols like TLS minimizes the risk of such incidents. Unfortunately, many developers prefer to "reinvent the wheel" in this area, rather than use reliable ready-made solutions.
The Sogou Input Method incident has once again demonstrated that neglecting security in the design of cryptosystems can endanger the confidential data of millions of users around the world.
Popular Chinese text input application "Sogou Input Method" from Tencent, which has an audience of more than 455 million active users, as it turned out, contains vulnerabilities in the encryption system EncryptWall. This allows attackers to decrypt user-entered data and gain access to confidential information.
As researchers from Citizen Lab found out, the Windows and Android versions of the app are vulnerable to a Padding Oracle-type attack. This attack exploits CBC-mode encryption features and allows hackers to recover the plaintext of encrypted network transmissions, revealing sensitive information, including what users typed.
CBC (Cipher Block Chaining) is an encryption mode in which each plaintext block is linked to the previous encrypted block before encryption. A Padding Oracle CBC attack allows an attacker to decrypt a message without knowing the encryption key used.
Despite the fact that the iOS version of the Sogou app was found to be protected from network eavesdropping, it is not without another flaw in the implementation of EncryptWall, in which the first half of the encryption key can be easily restored, which also allows attackers to decrypt and get hold of user data.
According to the researchers, using the popular TLS protocol instead of native cryptography would help developers avoid such problems. After responsible disclosure of the vulnerability, the problem was fixed by Tencent specialists in versions of the Sogou app 13.7 (Windows), 11.26 (Android) and 11.25 (iOS), but the fact remains.
The problem affected not only users from China. Citizen Lab statistics show that the app is also popular in the United States, Taiwan, Hong Kong, and Japan. Thus, the vulnerability has long been a threat to millions of users around the world. And it can continue to pose a threat if users don't update to the latest version of the app.
The disclosure of vulnerabilities in the Sogou Input Method coincided with the discovery of two critical vulnerabilities that we discussed yesterday. The vulnerabilities are related to the implementation method of MPC cryptographic protocols used in cryptocurrency wallets. Identified security flaws can also lead to the leakage of confidential data.
Experts note that software vendors should take a more responsible approach to implementing cryptographic solutions and thoroughly test them for vulnerabilities before implementing them in their applications.
Using well-established and well-studied cryptographic protocols like TLS minimizes the risk of such incidents. Unfortunately, many developers prefer to "reinvent the wheel" in this area, rather than use reliable ready-made solutions.
The Sogou Input Method incident has once again demonstrated that neglecting security in the design of cryptosystems can endanger the confidential data of millions of users around the world.
