Baidu Browser is a free web browser for the Windows and Android platforms, produced by Baidu, one of China’s largest technology companies. The browser offers some features beyond those found in standard browsers, including video and audio download tools and built-in torrent support.
The study from Citizen Lab at the University of Toronto found that:
- Baidu Browser for Windows and Android platforms transmits personal user data to Baidu servers without encryption and with easily decryptable encryption and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.
- The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption.
- The Windows version of Baidu Browser also transmits some personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all web pages visited, and CPU model number, without encryption or with easily decryptable encryption.
- Neither the Windows nor Android versions of Baidu Browser protects software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code, representing a significant security risk.
- The Windows version of Baidu Browser contains a feature to proxy requests to certain websites, which permits access to some websites that are normally blocked in China.
- Analysis of the global versions of Baidu Browser indicates that the data leakage is the result of a shared Baidu software development kit (SDK), which affects hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.
The Lab also found last year that the UC Browser – with over 500 million users – similarly transmitted private data to its developer – Alibaba, another Chinese company.
Not good – read on why you must uninstall this browser now – despite assurances that the issues above have been addressed.
On November 26, 2015, Citizen Lab notified Baidu of its findings and intent to publish in 45 days. Baidu initially stated that the issues would be resolved in updates released on January 24, 2016. However, after Baidu identified that these security issues affected additional products, they requested Citizen Lab delay publication until after February 14, 2016.
Baidu indicated it would release updated versions of both the Windows and Android browsers by February 14, 2016. Citizen Labs performed an analysis of both updated versions to determine if the issues we identified had been resolved. Not all had been addressed.
The Chinese government strictly controls Internet use. Baidu can, and must, hand over user [meta] data to intelligence agencies and law enforcement. The data collection raises questions about whether it could be used against those who oppose government policies as well as for nefarious activities.
"While Internet companies often collect personal user data for the normal and efficient provision of services, it is unclear why Baidu Browser collects and transmits such an extensive range of sensitive user data points," the report said.
It also found that Baidu’s mobile apps sent similar data to its servers including IMEI and location.
Citizen Lab published a list of its questions to, and answers from, Baidu. It is an interesting lesson in avoidance and double speak. In particular:
‘Which laws, regulations, or policies (internal or external) govern Baidu’s collection of user data? What user data is Baidu required to collect under such law, regulation, or policy? The answer - unable to comment.
Is Baidu required by authorities to collect any user data as a condition for providing uncensored web access through its proxy feature? What data related to the proxy feature is Baidu required to share with the Chinese government? The answer - Unable to comment.
Makes other browsers seem lily white. If you are concerned about such privacy breaches, remove the browser and apps based on its SDK immediately.