Popular Chinese-language service Sogou exposed to ‘eavesdropper,’ report says

Network transmissions by a Chinese technology company used by more than 455 million people a month were exposed to a “network eavesdropper” that captured keystrokes in real time, according to a report released Wednesday.

Sogou Input Method, software for typing Chinese characters on computers or mobile devices, was found to have “troubling vulnerabilities” in its encryption system, according to researchers at the human rights and global security organization Citizen Lab.

The researchers’ findings potentially represent another example of the Chinese government having access to communications by a product’s users. Since keystrokes coming from Sogou services are transmitted to servers operating under the jurisdiction of the government, users must be cautious when sharing sensitive data, the report said. Sogou products are open to customers outside of China, the report noted.

Sogou is a subsidiary of Chinese tech giant Tencent. The vulnerabilities were shared with Sogou developers, who fixed the software and released new versions of it last month, according to Citizen Lab.

“While we have had some success in coordinating with developers to resolve these issues, the ecosystem remains problematic, as here we are, again, reporting on how an unimaginably popular Chinese-developed app fails to adopt even simple best practices to secure the sensitive data which it transmits,” the report said.

The researchers said they have spent eight years analyzing, documenting, and disclosing vulnerabilities in Chinese apps and warned that anyone using Sogou must be aware that their sensitive data could be exposed.

Sogou Input Method, when installed on phones or computers, enables users to type Chinese characters more easily. Compared with the 26-letter alphabet Latin script, typing the tens of thousands of Chinese characters in use is more challenging, making input methods vital.

Sogou is used by 70% of Chinese input method users, Citizen Lab reports.

Even with the reported vulnerabilities now resolved, the Sogou app relies on transmitting typed content to Sogou’s servers to function, the report says, suggesting that users will still need to trust the security of those servers going forward.

“The attacks outlined in this report demonstrate how network eavesdroppers can decipher such data in transit,” the report says. “However, even with the vulnerabilities resolved, such data will still be accessible by Sogou’s operators and by anyone with whom they share the data.”

Citizen Lab researchers analyzed the Windows, Android, and iOS versions of the software and detected the vulnerabilities in the company’s custom-designed “EncryptWall,” revealing problems in how it encrypts sensitive data.

The discovery highlights how critical it is for Chinese software developers to rely on tested encryption implementations such as TLS as opposed to designing their own, the report said.

Citizen Lab said U.S.-based visitors comprise more than 3 percent of Sogou users while Taiwan-based users account for 1.8%, and Japan-based users over 1.5%.