RedNote User Data at Risk of Exploitation via SDK Vulnerabilities

• Over 300 million RedNote users’ data could be intercepted by hackers by exploiting existing vulnerabilities.   
• Researchers tested a few app versions on the Google Play Store, Apple App Store, and Xiaomi Mi Store.
• Among the vulnerabilities were some found in NextData and MobTech SDKs.

Researchers have found several security issues in the China-based social media app called Xiaohongshu commonly known as RedNote in English. The app available on Android and iOS fetches images and videos over HTTP that exposes all its versions to unauthorized access to user's browsing activity.

The Citizen Lab research team discussed these flaws in a recent report. They downloaded RedNote version 8.41.0 from the Xiaomi Store and tested it on Android 14 in October 2024. 

The cybersecurity researchers tested RedNote version 8.69.3 on the RedNote website and Xiaomi Mi Store and RedNote version 8.59.2 from Google Play Store and found the persistence of the vulnerabilities - which was also found in version 8.69 on the Apple App Store.

These are the software development kit (SDK) details leading to data exposure impacting RedNote users:

Nextdata - Some versions of RedNote have vulnerabilities that could be exploited to view any file that RedNote has permission to access on a user’s device. Researchers shared that the cause of the security issue is Nextdata, a software development kit (SDK) used by RedNote. 

The Nextdata OS allows real-time content moderation solutions for data protection and data meshes, among other features. This software was not found in Android or iOS versions of RedNote. 

MobTech - Security loopholes associated with RedNote were inefficiently encrypted device data, sharing information without certificate validation, exposing network metadata to unauthorized users, and exposing the mobile network carrier name. This issue impacted all the versions of RedNote that researchers tested. 

The examination of the versions was performed using both static and dynamic analysis methods with the following:

1. Jadx to analyze and decompile Dalvik bytecode
2. IDA Pro to decompile native machine code
3. Frida to analyze the app on Android
4. Wireshark for network traffic analysis 
5. Mitmproxy for network traffic testing using their proof-of-concept exploits

Exploiting the above vulnerabilities, several other entities, including internet service providers (ISPs) and virtual private networks (VPNs), can also access user data. These findings are part of a smaller research and do not include a full security audit of RedNote.

The Citizen Lab researchers who investigated and published these findings about RedNote reported them to the respective service providers starting November 2024. However, they did not receive any response until the report's publication this month.

Expressing concern over data privacy, the report noted, “The issues that we found make these users especially vulnerable to surveillance by non-Chinese governments, which might not already have methods to obtain data about those individuals.”

Keeping in mind that the user base of the social media app goes above 300 million, there is an immense risk of data violation. Several researchers have also raised concerns related to U.S. citizens' data subjected to censorship, third-party tracking, and privacy properties of RedNote.