43
Network Security Issues in RedNote. (citizenlab.ca)
submitted 1 week ago* (last edited 1 week ago) by Cat@ponder.cat to c/technology@lemmy.world
5 comments fedilink hide all child comments

Key findings

  • We analyzed RedNote on Android and iOS for network security issues and found that all versions of RedNote fetch viewed images and videos over HTTP, which enables network eavesdroppers to learn exactly what content users are browsing.
  • Some versions of RedNote contain a vulnerability that enables network attackers to learn the contents of any files that RedNote has permission to read on the users’ devices. This issue was introduced by an upstream software development kit (SDK) used by RedNote, NEXTDATA, but is not present in Android versions downloaded from the Google Play Store nor in the iOS version.
  • All versions of RedNote that we analyzed also transmitted insufficiently encrypted device metadata, sometimes over TLS without certificate validation, enabling network attackers to learn device and network metadata, such as device screen size and the mobile network carrier. This issue was introduced by an upstream SDK, MobTech.
  • We responsibly disclosed the relevant issues to NEXTDATA on November 13, 2024, to MobTech on November 26, 2024, and to RedNote on January 16, 2025. At the time of publication, no party had responded to our disclosures.
  • All the issues we discovered could be mitigated through the use of TLS. Yet again, this work highlights the importance of using well-supported encryption implementations.
you are viewing a single comment's thread
view the rest of the comments
[-] Xanza@lemm.ee 4 points 1 week ago* (last edited 1 week ago)

I'm skeptical. Citizen Lab is great, but just because they didn't reply doesn't mean these issues weren't worked on or fixed. They tested 8.59.2 and the current US version is 8.59.5 with the current Chinese version being 8.70.6.

There's been dozens of updates since the test, so it's hard say if these test are even valid anymore. Additionally;

Network attackers can read users’ file a contents on the Android versions of the application available for download on RedNote’s website and on the Mi Store, but not in the version downloaded from the Google Play Store or the iOS version.

The major security issue isn't even possible as long as you get them directly from the Play Store.

this post was submitted on 12 Feb 2025
43 points (100.0% liked)

Technology

63134 readers
3900 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world