Recently, researchers from the Citizen Lab of the University of Toronto in Canada discovered a vulnerability in the encryption system of Sogou Input Method, a popular domestic input method, which can allow network eavesdroppers to decipher user input content. This vulnerability has now been fixed.
The researchers discovered that the vulnerable software version involves three major systems, namely Windows 13.4, Android 11.20 and iOS 11.21. Its internal customized EncryptWall encryption system has CBC ciphertext padding (padding oracle) attacks in Windows and Android systems. The vulnerability allows network listeners to recover the plaintext of encrypted network transmissions, thereby leaking sensitive information. Although a vulnerability has been discovered in iOS, the specific method of exploitation is not clear.
Sample excerpt of recovered data, line 11 contains typed text
The EncryptWall encryption system is designed to securely transmit sensitive traffic to unencrypted Sogou HTTP API endpoints via encrypted fields in plain HTTP POST requests. In cases where EncryptWall requests are made over HTTPS, the researchers believe these requests are secure, but any flaws in the underlying encryption technology of EncryptWall requests may exist.
Researchers found that the CBC ciphertext stuffing attack is a selected ciphertext attack that appeared as early as 2002. The plaintext of the message can be recovered byte by byte, using up to 256 pieces of information per byte. This attack relies on the presence of a side channel called a padding oracle, which can unambiguously reveal whether the received ciphertext was padded correctly when decrypted.
Researchers reported the vulnerability to Sogou on May 31 this year, and the final repaired version was officially released on July 20 (Windows 13.7 version, Android 11.26 version and iOS 11.25 version). It is strongly recommended that users of Sogou input method immediately upgrade to the above Version.
According to the researchers' report, Sogou input method is the most popular Chinese input method, accounting for 70% of Chinese input method users, with more than 455 million monthly active users.