福利姬自慰

Android and Windows versions of the Baidu browser have been found to have security risks. (Photo by Jon Russel via flickr)

Citizen Lab researchers find privacy problems in popular Baidu browser

University of Toronto undergrad Jing Zhou knows a lot about surveillance issues in China and Canada, but even she鈥檚 surprised by findings that hundreds of millions of people are at risk of hacking and surveillance because of a popular internet browser.

This week, the Citizen Lab at the University of Toronto鈥檚 Munk School of Global Affairs released a report showing that the Android version of Baidu Browser, made by one of China鈥檚 largest technology companies, leaks a user鈥檚 location, browsing history and other data because of poor or missing encryption whenever the browser is used.

And the browser鈥檚 Windows version leaks even more data, including computer serial numbers. Any individual, company and government can hack a device or spy on users鈥 online habits.

Zhou is concerned about the human rights implications given the increasing number of people from China worried about hacking and surveillance. She helps to run a 福利姬自慰student club called , which raises awareness about human rights abuses.

鈥淚n Toronto, there are Chinese officials surveilling students, religious practitioners and community members,鈥 says Zhou, who moved from China to Canada in 2001 and is finishing a management degree at U of T. 鈥淣ot only in Canada, but in China, the government and police track down your relations and monitor them.鈥

Baidu runs the most used search engine in China 鈥 but it鈥檚 also used around the world in Chinese, English and other languages.

Many of the vulnerabilities are due to missing or poor encryption used by something called software development kits (SDKs), which are present in more than 22,000 apps related to Baidu, researchers say. The apps have been downloaded billions of times.

鈥淏aidu and anyone monitoring your traffic can use your hardware鈥檚 serial numbers to track your GPS location, nearby wireless networks, and every unencrypted and encrypted web page you visit,鈥 says Jeffrey Knockel, the report鈥檚 lead author and a senior researcher at the Citizen Lab. 鈥淢ost users would have no way of knowing their personal data was being transmitted this way, and would be unable to prevent it.鈥

In addition, Baidu Browser doesn鈥檛 include special codes (a norm with other browsers) when it downloads routine software updates, which would allow hackers to secretly install malicious software on computers and phones.

In May 2015, Citizen Lab identified similar security concerns with UC Browser,鈥媋 popular browser owned by e颅commerce giant Alibaba, also based in China. The security issues in UC Browser were identified in documents leaked by Edward Snowden that revealed that intelligence agencies in Canada, the United States, the United Kingdom, Australia and New Zealand had used the vulnerabilities to identify users. 

The report is part of the Citizen Lab鈥檚 ongoing research into p鈥媟ivacy and security of popular mobile applications used in Asia,鈥 including China鈥檚 censorship of Google, Microsoft, and Yahoo search engines and its censorship and surveillance in TOM-Skype, a Chinese version of Skype.

In November 2015, Citizen Lab researchers notified Baidu of the browser鈥檚 security issues. The company released updates that remedied some of the issues in January 2016, but many still remain unresolved.

鈥淚 wouldn鈥檛 use Baidu anyway, as it鈥檚 not as good as Google,鈥 Zhou says. 鈥淣ow that I know about the problems, I鈥檓 glad that I can avoid it in Canada.

鈥淭hey have to make Baidu more secure,鈥 Zhou says. 鈥淧eople don鈥檛 have to undergo surveillance all the time.鈥

 

Topics

The Bulletin Brief logo

Subscribe to The Bulletin Brief