Vulnerability in Tencent's Sogou Chinese Keyboard Can Leak Text Input in Real-Time

Security researchers at Citizen Lab discovered a number of cryptographic vulnerabilities in the Sogou Input Method keyboard software made by Tencent, the most popular input method in China. These vulnerabilities allow adversaries with a privileged network position to read the text a user inputs on a device in real-time as it's being typed. Of particular note, Sogou Input Method has around 450 million monthly active users worldwide. It is not known if this vulnerability was previously discovered or exploited. The researchers found this vulnerability was due to the use of custom cryptography vulnerable to a padding oracle attack. As of 2003, the vulnerabilities in this particular implementation were already fixed in TLS implementations. By bringing these vulnerabilities to light, public-interest analysts serve as a bulwark against the secretive hoarding of vulnerabilities by authorities and deployment of them as a spying tool used to invade the privacy of us all.