Look Mum, no encryption! Baidu Browser transmits personal data in the clear, warns Citizen Lab researchers
Web browsers created by Chinese search engine Baidu are not secure, Canadian security researchers have warned.
They said the Android and Windows browsers transmit personal user data to Baidu servers without encryption, or with easily breakable encryption.
Look Mum, No Encryption
Baidu is not a particularly well known brand in the West, but in its home market of China, it is a giant firm. And it seems to have a massive security flaw that it is endangering the the privacy of hundreds of millions of Chinese citizens.
According to The Citizen Lab, which is based at the University of Toronto in Canada, the Baidu browser has a seriously flaw as it transmits personal user data to Baidu servers without encryption or with easily decryptable encryption.
The researcher also warn it is “vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.”
The Citizen Lab provided a detailed breakdown of the problems with both the Android and Windows versions of the Baidu browser.
“The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption,” said the Citizen Lab.
Meanwhile it seems that the Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.
The researchers also warned that neither the Windows nor Android versions of Baidu Browser protect software updates with code signatures. This means that an attacker could potentially cause the application to download and execute arbitrary code.
The Citizen Lab blamed the data leakage on a shared Baidu software development kit (SDK). This SDK has apparently been used to create “hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.”
The Citizen Lab first notified Baidu of its discovery back on 26 November last year, and said it would publish its finding after 45 days, giving it time to patch the flaws.
Baidu initially pledged to fix the vulnerabilities via an update by no later than 24 January. But when it discovered the flaw affected not just its browser, but many other apps created via its SDK, it asked for an extension until 14 February. The Citizen Lab agreed.
Baidu duly updated both browsers, but The Citizen Lab then examined the updates and still found four general security and privacy issues in the updated Android browser, and that only one of the flaws in the updated Windows version had actually been fixed.
“It’s either shoddy design or it’s surveillance by design,” Citizen Lab director Ron Deibert told Reuters.
Are you a security pro? Try our quiz!