Security Experts:

Baidu Browser Collects Mounds of User, Device Data: Report

Baidu Browser, a web navigation application available on Android and Windows devices, is collecting a large amount of personally identifiable data and transmitting it to Baidu servers without encryption, Citizen Lab researchers have discovered.

In a report published this week, Citizen Lab’s Jeffrey Knockel, Sarah McKune and Adam Senft explain that the Chinese variants of the browser send the collected data without encryption or with weak encryption to the company’s servers, and that they are also vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.

Last year, Citizen Lab researchers discovered similar security and privacy vulnerabilities in the popular mobile web browser UC Browser, including the fact that the app was sending user and device identifiers (IMSI, IMEI) and location data (cell tower data) to a remote server. Over Wi-Fi, the browser was sending the same data, along with Wi-Fi-related data, with weak or no encryption.

According to the researchers, the Android version of the Baidu Browser gathers information such as a user’s GPS coordinates, search terms, and URLs visited, and sends it to the Baidu servers unencrypted. Furthermore, it sends information such as a device’s IMEI and a list of nearby wireless networks with easily decryptable encryption.

The Windows variant, on the other hand, gathers information such as user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number. Furthermore, the browser contains a feature to proxy requests to certain websites, thus allowing access to certain websites that are blocked in China.

The researchers say that both the Android and Windows versions of the browser fail to protect software updates with code signatures. As a result, a malicious actor could use a man-in-the-middle attack to cause the application to download and execute arbitrary code, a vulnerability that is present in other popular third-party software as well, the Citizen Lab report says.

The researchers analyzed version 6.2.18.0 of the Chinese variant of Baidu Browser for Android and discovered the aforementioned security and privacy flaws, which Baidu said would be fixed this month. They also analyzed version 7.6.100.2089 of the Chinese Windows browser iteration, which Baidu said would be enhanced by May of this year.

After Baidu released updates to these apps, the Citizen Lab researchers analyzed them again, and discovered that some of the reported issues have been resolved by the company, while others remain unfixed. Both Android and Windows versions resolved the insecure updates flaw, yet the leak of address bar contents when inputting into address bar remains unresolved in both of them.

Additionally, Citizen Lab researchers analyzed the international variant of the Baidu Browser, and discovered that, while the Windows variant did not include said security and privacy vulneraiblities, the Android iteration did. They also had a look into other Baidu applications as well, and discovered that many of them too put their users’ data at risk.

According to the report, while the international version of Baidu Browser for Windows does send search terms entered into the address bar, data is sent encrypted over SSL. The browser also sends other information via HTTP during startup, along with data triggered by other application operations, but the payload is encrypted using a randomly generated 128-bit AES key encrypted with a 1024-bit RSA key, meaning that the encryption is asymmetric.

The global version of Baidu Browser for Android, on the other hand, leaks user data at startup, the same as the Chinese counterpart, and researchers say that the shared leaks are related to a common software development kit employed by both browsers versions. The global Android browser also sends information about page views encrypted using a symmetric, easily decryptable algorithm, and also sends sensitive information to an additional server, though it uses a 1024-bit RSA key to encrypt it.

The researchers note that the Android versions of the browser are built using the Baidu Mobile Tongji (Analytics) SDK and that security firm Lookout confirmed to them that there are 22,548 unique app package names that contain the SDK. 454 of these are in the Google Play store, but, since the official marketplace is not available in China, thousands of them are distributed via third-party stores there.

Apparently, all applications that use the SDK for statistics and event tracking automatically send messages to Baidu’s servers, transmitting sensitive information with weak or no encryption. Researchers also note that, unlike Baidu’s SDK, the development tool provided by Google does not upload personally identifiable information on the user or device, and also prohibits third-parties from doing so.

In addition to informing Baidu on the discovered security vulnerabilities, Citizen Lab researchers asked the company several questions regarding the data collection and transmission practices, while also requesting details on the regulations and policies that govern Baidu’s collection of user data, yet few of these questions received a clear response  from the company.

Related: Researcher Hijacks Android Phone via Chrome Vulnerability

Related: Address Bar Spoofing Bugs Found in Safari, Chrome for Android

view counter