Involving 1 Billion Users! Prominent Mining Magnate Shen Yu: Tencent, Baidu, Xiaomi, and Other 8 Input Method Software Have Serious Vulnerabilities

Shen Yu, co-founder of the well-known cryptocurrency mining pool F2Pool, issued a warning on Twitter on Monday (April 29th), suggesting that the cloud-based input methods used by up to one billion users might have leaked input data. He emphasized that serious vulnerabilities exist in eight Chinese input method software, necessitating caution to prevent the leakage of cryptocurrency wallet private keys.

Shen Yu noted that cloud-based Pinyin input method software, used by over one billion users, might have leaked input content. If users have entered wallet mnemonic phrases or other sensitive information using the input methods discussed below, he urged taking appropriate measures to reduce the risk of hacker intrusions.

According to Shen Yu’s tweets, quoting The Citizen Lab, nine software providing companies were analyzed, including Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, VIVO, and Xiaomi. Eight of these companies' input method software contained severe vulnerabilities, with only Huawei being spared.

Combining previous studies, including vulnerabilities found in Sogou’s input method, it is estimated that at least one billion users are affected. The reasons include potential large-scale collection of user input data.

The Citizen Lab raised concerns that the vulnerabilities affect a broad user base; the information typed on keyboards is highly sensitive; discovering these vulnerabilities does not require advanced technical skills; and in the past, the Five Eyes alliance has exploited similar vulnerabilities in Chinese apps for surveillance purposes.

The Five Eyes alliance consists of Australia, Canada, New Zealand, the United Kingdom, and the United States, forming an international intelligence-sharing group under the UKUSA Agreement.

In tests conducted on applications from nine software providers, only Huawei's product was found without security issues related to uploading user input content to the cloud. Each of the other software applications contained at least one vulnerability, allowing passive network attackers to monitor the complete content of user inputs.

Conversely, Apple's iOS system did not show any vulnerability in the tests.

Active network eavesdropping attacks require sending out signals, such as altering a small amount of data during message transmission, to decrypt encrypted content, and are relatively easier to detect.

Passive network eavesdropping attacks do not need to emit any signals and can decrypt data simply by reading it during transmission, making them harder to detect.

After detecting the vulnerabilities, The Citizen Lab submitted the information to the software companies. However, it is understood that some companies have patched some of the more severe vulnerabilities, while others have not made any repairs.

To raise security awareness, The Citizen Lab advised users of Sogou, QQ, Baidu, and iFlytek input methods, whether manually installed from app stores or pre-installed on operating systems, to ensure their input methods and operating systems are kept up to date.

The organization also noted that privacy-conscious users should disable any cloud features in their input methods, and privacy-concerned Apple iOS users should not enable “Full Access” in input methods.