Security Market Segment LS
Friday, 26 February 2016 16:06

Baidu is badforu – web browser and thousands of apps transmit personal data home Featured

By

Researchers have found that the Chinese Baidu browser and apps based on its SDK transmit user's search terms, GPS coordinates, the addresses of websites visited and device's MAC or IMEI address to Baidu's servers without using SSL/TLS encryption or gaining the users permission.

Baidu Browser is a free web browser for the Windows and Android platforms, produced by Baidu, one of China’s largest technology companies. The browser offers some features beyond those found in standard browsers, including video and audio download tools and built-in torrent support.

The study from Citizen Lab at the University of Toronto found that:

  • Baidu Browser for Windows and Android platforms transmits personal user data to Baidu servers without encryption and with easily decryptable encryption and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.
  • The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption.
  • The Windows version of Baidu Browser also transmits some personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all web pages visited, and CPU model number, without encryption or with easily decryptable encryption.
  • Neither the Windows nor Android versions of Baidu Browser protects software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code, representing a significant security risk.
  • The Windows version of Baidu Browser contains a feature to proxy requests to certain websites, which permits access to some websites that are normally blocked in China.
  • Analysis of the global versions of Baidu Browser indicates that the data leakage is the result of a shared Baidu software development kit (SDK), which affects hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.

The Lab also found last year that the UC Browser – with over 500 million users – similarly transmitted private data to its developer – Alibaba, another Chinese company.

Not good – read on why you must uninstall this browser now – despite assurances that the issues above have been addressed.

On November 26, 2015, Citizen Lab notified Baidu of its findings and intent to publish in 45 days. Baidu initially stated that the issues would be resolved in updates released on January 24, 2016. However, after Baidu identified that these security issues affected additional products, they requested Citizen Lab delay publication until after February 14, 2016.

Baidu indicated it would release updated versions of both the Windows and Android browsers by February 14, 2016. Citizen Labs performed an analysis of both updated versions to determine if the issues we identified had been resolved. Not all had been addressed.

The Chinese government strictly controls Internet use. Baidu can, and must, hand over user [meta] data to intelligence agencies and law enforcement. The data collection raises questions about whether it could be used against those who oppose government policies as well as for nefarious activities.

"While Internet companies often collect personal user data for the normal and efficient provision of services, it is unclear why Baidu Browser collects and transmits such an extensive range of sensitive user data points," the report said.

It also found that Baidu’s mobile apps sent similar data to its servers including IMEI and location.

Citizen Lab published a list of its questions to, and answers from, Baidu. It is an interesting lesson in avoidance and double speak. In particular:

‘Which laws, regulations, or policies (internal or external) govern Baidu’s collection of user data? What user data is Baidu required to collect under such law, regulation, or policy? The answer - unable to comment.

Is Baidu required by authorities to collect any user data as a condition for providing uncensored web access through its proxy feature? What data related to the proxy feature is Baidu required to share with the Chinese government? The answer - Unable to comment.

Makes other browsers seem lily white. If you are concerned about such privacy breaches, remove the browser and apps based on its SDK immediately.                        

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.

REGISTER HERE!

LAYER 1 ENCRYPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments