• sawa@lemmy.world
    link
    fedilink
    arrow-up
    40
    ·
    8 months ago

    TLDR:

    This study mainly targets Pinyin input, the most popular Chinese input method (hence 1bn potentially affected).

    Vulnerabilities were due to the keyboards’ use of the cloud for dictionaries used in IMEs (essentially a conversion engine). Such IMEs are must-haves for certain languages and converts A-Zs to other scripts. Lack of E2EE resulted in exposed keystrokes.


    Personally I would recommend switching to something which uses a local dictionary. RIME is a good FOSS alternative and can be configured to work on Android via fcitx.

    While the study doesn’t cover English keyboards, this is as good a reminder as any not to use in-built dictionaries in general unless you have to.

  • moon@lemmy.ml
    link
    fedilink
    arrow-up
    21
    ·
    8 months ago

    A billion vulnerable users is wild. I’m sure there are government entities taking advantage of this already

      • delirious_owl
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        8 months ago

        Yeah and didn’t she work with Citizen Lab in the past about this? I’m wondering what’s new here.

        • Aatube@kbin.melroy.org
          link
          fedilink
          arrow-up
          2
          ·
          8 months ago

          What’s new is that apparently “We reported these vulnerabilities to all nine vendors. Most vendors responded, took the issue seriously, and fixed the reported vulnerabilities, although some keyboard apps remain vulnerable.”

  • delirious_owl
    link
    fedilink
    arrow-up
    10
    ·
    8 months ago

    This report is not about how operators of cloud-based IMEs read users’ keystrokes, which is a phenomenon that has already been extensively studied and documented. This report is primarily concerned with the issue of protecting this sensitive data from network eavesdroppers.

    So basically, even after these vulns are fixed, the attacker can just NSL the cloud providers and, boom, surveillance slurping continues.

  • I_Miss_Daniel@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    8 months ago

    Swype is not listed in this document.

    I didn’t read far enough to see if it only affected pinyin (Chinese) cloud features or all languages.