Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.

    1411 months ago

  • godless
    411 months ago

    I live in China and this software is cancerous not just in the encryption failure, it also nestles into a computer like a trojan. Creates 2 fallback installations and will reinstall itself after removal if you reboot in between, unless you get rid of all 3 installations at once, where they are deliberately trying to obfuscate the uninstall button (triple confirmation, swapping the confirm/cancel buttons and button background colors, etc.).

    It’s a nasty piece of crap that come preloaded on any phone (android, at least) and Windows-PC here.

  • Milk
    311 months ago

    “Notice the lack of surprise.”

    111 months ago

    Can you point to where it says that in the report? It actually says:

    an IME will commonly reach out over the network to a cloud-based service for suggestions if suitable suggestions are not available in the input method’s local database.

    So it doesn’t send “every key typed”.

      -111 months ago

      Literally says in bold even:

      the keystrokes of Sogou Input Method users can be decrypted by a network eavesdropper, informing the eavesdropper of what users are typing as they type.

      AKA every keystroke

    11 months ago

    111 months ago

    As if other keyboard apps are any different, I don’t think Microsoft bought SwiftKey just for fun?!

    111 months ago

    What’s the deal with Android “keyboards”? Why is it just an app that you can install? And why can it have more functionality/permissions from the OS beyond just being a local keyboard? As an iOS user this is very bizarre and foreign to me.

    I feel like every time the topic of Android keyboards (again, why is this a thing?) comes up it’s some kind of big spyware thing. Seems like most every app on Android and iOS is spyware anyway, of course.

      111 months ago

      There are some legitimate reasons to have a separate keyboard. I use Keepass2Android’s keyboard to enter passwords from Keepass. This way, there’s direct access to the password database instead of copying passwords/usernames/other fields to the system clipboard.

      011 months ago

      Tencent owns sizeable pieces (and outright owns) of more companies than you can imagine.

      • JJROKCZ
        011 months ago

        They invest in basically any tech company that is open to investment and willing to accept Chinese investors. To the ccp the data of the west is worth any price.

        011 months ago

        Apparently they’ve been caught up in working on predictions for a good while which has been harder than they expected, so that’s slowed development and releases considerably. So not abandoned by the devs for what its worth.

        • nudny ekscentryk
          111 months ago

          Perhaps. The last update is from June 2022 and the last contribution is 3 months old

    011 months ago

    So when the Chinese do it it’s scary, but when the Americans do it it’s just “established practice”?