Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Baidu Browser Collects Mounds of User, Device Data: Report

Baidu Browser, a web navigation application available on Android and Windows devices, is collecting a large amount of personally identifiable data and transmitting it to Baidu servers without encryption, Citizen Lab researchers have discovered.

Baidu Browser, a web navigation application available on Android and Windows devices, is collecting a large amount of personally identifiable data and transmitting it to Baidu servers without encryption, Citizen Lab researchers have discovered.

In a report published this week, Citizen Lab’s Jeffrey Knockel, Sarah McKune and Adam Senft explain that the Chinese variants of the browser send the collected data without encryption or with weak encryption to the company’s servers, and that they are also vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.

Last year, Citizen Lab researchers discovered similar security and privacy vulnerabilities in the popular mobile web browser UC Browser, including the fact that the app was sending user and device identifiers (IMSI, IMEI) and location data (cell tower data) to a remote server. Over Wi-Fi, the browser was sending the same data, along with Wi-Fi-related data, with weak or no encryption.

According to the researchers, the Android version of the Baidu Browser gathers information such as a user’s GPS coordinates, search terms, and URLs visited, and sends it to the Baidu servers unencrypted. Furthermore, it sends information such as a device’s IMEI and a list of nearby wireless networks with easily decryptable encryption.

The Windows variant, on the other hand, gathers information such as user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number. Furthermore, the browser contains a feature to proxy requests to certain websites, thus allowing access to certain websites that are blocked in China.

The researchers say that both the Android and Windows versions of the browser fail to protect software updates with code signatures. As a result, a malicious actor could use a man-in-the-middle attack to cause the application to download and execute arbitrary code, a vulnerability that is present in other popular third-party software as well, the Citizen Lab report says.

The researchers analyzed version 6.2.18.0 of the Chinese variant of Baidu Browser for Android and discovered the aforementioned security and privacy flaws, which Baidu said would be fixed this month. They also analyzed version 7.6.100.2089 of the Chinese Windows browser iteration, which Baidu said would be enhanced by May of this year.

After Baidu released updates to these apps, the Citizen Lab researchers analyzed them again, and discovered that some of the reported issues have been resolved by the company, while others remain unfixed. Both Android and Windows versions resolved the insecure updates flaw, yet the leak of address bar contents when inputting into address bar remains unresolved in both of them.

Advertisement. Scroll to continue reading.

Additionally, Citizen Lab researchers analyzed the international variant of the Baidu Browser, and discovered that, while the Windows variant did not include said security and privacy vulneraiblities, the Android iteration did. They also had a look into other Baidu applications as well, and discovered that many of them too put their users’ data at risk.

According to the report, while the international version of Baidu Browser for Windows does send search terms entered into the address bar, data is sent encrypted over SSL. The browser also sends other information via HTTP during startup, along with data triggered by other application operations, but the payload is encrypted using a randomly generated 128-bit AES key encrypted with a 1024-bit RSA key, meaning that the encryption is asymmetric.

The global version of Baidu Browser for Android, on the other hand, leaks user data at startup, the same as the Chinese counterpart, and researchers say that the shared leaks are related to a common software development kit employed by both browsers versions. The global Android browser also sends information about page views encrypted using a symmetric, easily decryptable algorithm, and also sends sensitive information to an additional server, though it uses a 1024-bit RSA key to encrypt it.

The researchers note that the Android versions of the browser are built using the Baidu Mobile Tongji (Analytics) SDK and that security firm Lookout confirmed to them that there are 22,548 unique app package names that contain the SDK. 454 of these are in the Google Play store, but, since the official marketplace is not available in China, thousands of them are distributed via third-party stores there.

Apparently, all applications that use the SDK for statistics and event tracking automatically send messages to Baidu’s servers, transmitting sensitive information with weak or no encryption. Researchers also note that, unlike Baidu’s SDK, the development tool provided by Google does not upload personally identifiable information on the user or device, and also prohibits third-parties from doing so.

In addition to informing Baidu on the discovered security vulnerabilities, Citizen Lab researchers asked the company several questions regarding the data collection and transmission practices, while also requesting details on the regulations and policies that govern Baidu’s collection of user data, yet few of these questions received a clear response  from the company.

Related: Researcher Hijacks Android Phone via Chrome Vulnerability

Related: Address Bar Spoofing Bugs Found in Safari, Chrome for Android

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.