Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.

  • gnuhaut
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    7
    ·
    1 year ago

    Can you point to where it says that in the report? It actually says:

    an IME will commonly reach out over the network to a cloud-based service for suggestions if suitable suggestions are not available in the input method’s local database.

    So it doesn’t send “every key typed”.

    • Hawk@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      3
      ·
      1 year ago

      Literally says in bold even:

      the keystrokes of Sogou Input Method users can be decrypted by a network eavesdropper, informing the eavesdropper of what users are typing as they type.

      AKA every keystroke

      • gnuhaut
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        I assume they mean “if suitable suggestions are not available in the input method’s local database”. Like you start typing a word, and when it doesn’t find any match locally, it goes to the server. After that, any additional keystroke gets reported to the server “as they type”.