Critical vulnerabilities were uncovered in the popular Chinese social media app RedNote (also known as XiaoHongShu), which boasts over 300 million active users globally.
These security flaws, present in both Android and iOS versions, expose users’ browsing activity, device metadata, and even personal files to potential attackers.
The findings raise serious concerns about the app’s safety, especially as its user base expands in the United States following TikTok’s proposed ban.
.png
)
Overview of the RedNote Vulnerabilities
Unencrypted Multimedia Traffic:
All analyzed versions of RedNote fetch images and videos over unencrypted HTTP connections.
This allows network eavesdroppers to monitor users’ browsing behavior. For instance, attackers can determine which videos or images a user views by intercepting traffic from RedNote’s content delivery network (CDN) servers.
File Exposure on Android Devices:
Certain Android versions of RedNote—specifically those downloaded from the app’s official website and Xiaomi Mi Store—contain a vulnerability that enables attackers to access any file the app has permission to read.
This issue stems from an upstream SDK called NEXTDATA (or Shumei), which is used for fraud prevention. Notably, this flaw does not affect the Google Play Store version or iOS versions.
“Network attackers can learn the contents of any files that RedNote has permission to read on the user’s device”, Citizen Lab researchers said
Leaked Device Metadata:
All tested versions transmit sensitive device metadata using weak encryption protocols.
While some versions use TLS (Transport Layer Security), they fail to validate server certificates, enabling attackers with a man-in-the-middle (MITM) position to intercept data such as screen size, mobile carrier details, and device specifications.
This vulnerability is attributed to another upstream SDK, MobTech. Researchers employed static and dynamic analysis techniques to uncover these vulnerabilities.
Tools like jadx, IDA Pro, and frida were used to reverse-engineer app code, while Wireshark and mitmproxy facilitated network traffic monitoring and manipulation.
One alarming discovery involves the NEXTDATA SDK’s use of insecure encryption mechanisms for its “cloud configuration file.”
The SDK employs outdated encryption algorithms like DES-ECB and AES-CBC with hardcoded keys, making it trivial for attackers to decrypt and manipulate configuration data.
Exploiting this flaw, attackers can remotely access files on users’ devices or execute denial-of-service attacks by injecting malicious regex patterns into the configuration file.
Similarly, MobTech SDK requests are encrypted using AES-ECB with static keys but lack proper TLS certificate validation.
This allows attackers to decrypt sensitive metadata or inject malicious payloads into network requests.
Implications for Users
These vulnerabilities pose significant risks not only to Chinese users but also to international users—particularly those in countries with advanced surveillance capabilities like the United States and Five Eyes nations.
Attackers could exploit these flaws to surveil users or compromise their devices on unsecured networks such as public Wi-Fi.
The report emphasizes that these issues are not unique to RedNote; similar vulnerabilities have been observed in other Chinese apps like TikTok.
The systemic reliance on proprietary encryption methods or improper TLS implementations exacerbates these risks.
Recommendations
For Users:
- Avoid using RedNote on unsecured networks.
- Employ a trusted VPN service to encrypt network traffic.
- Consider alternative platforms until the vulnerabilities are addressed.
For Developers:
- Migrate all network communications to HTTPS with proper TLS certificate validation.
- Replace outdated encryption algorithms with well-supported libraries.
- Regularly audit third-party SDKs for security compliance.
For Regulators:
- Enforce stricter data protection standards for apps operating within their jurisdictions.
- Increase scrutiny of foreign apps handling sensitive user data.
This highlights the urgent need for robust encryption practices in popular applications like RedNote.
Until these vulnerabilities are resolved, users should exercise caution when using the app, particularly in environments prone to surveillance or cyberattacks.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
