Baidu Browser Still Leaks Personal Data, Researchers Warn

Web browsers created by Chinese search engine Baidu are not secure, Canadian security researchers have warned.

They said the Android and Windows browsers transmit personal user data to Baidu servers without encryption, or with easily breakable encryption.

Look Mum, No Encryption

Baidu is not a particularly well known brand in the West, but in its home market of China, it is a giant firm. And it seems to have a massive security flaw that it is endangering the the privacy of hundreds of millions of Chinese citizens.

According to The Citizen Lab, which is based at the University of Toronto in Canada, the Baidu browser has a seriously flaw as it transmits personal user data to Baidu servers without encryption or with easily decryptable encryption.

The researcher also warn it is “vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.”

The Citizen Lab provided a detailed breakdown of the problems with both the Android and Windows versions of the Baidu browser.

“The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption,” said the Citizen Lab.

Meanwhile it seems that the Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.

The researchers also warned that neither the Windows nor Android versions of Baidu Browser protect software updates with code signatures. This means that an attacker could potentially cause the application to download and execute arbitrary code.

The Citizen Lab blamed the data leakage on a shared Baidu software development kit (SDK). This SDK has apparently been used to create “hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.”

Shoddy Response

The Citizen Lab first notified Baidu of its discovery back on 26 November last year, and said it would publish its finding after 45 days, giving it time to patch the flaws.

Baidu initially pledged to fix the vulnerabilities via an update by no later than 24 January. But when it discovered the flaw affected not just its browser, but many other apps created via its SDK, it asked for an extension until 14 February. The Citizen Lab agreed.

Baidu duly updated both browsers, but The Citizen Lab then examined the updates and still found four general security and privacy issues in the updated Android browser, and that only one of the flaws in the updated Windows version had actually been fixed.

“It’s either shoddy design or it’s surveillance by design,” Citizen Lab director Ron Deibert told Reuters.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Google Must Face Trial In Ad Tech Monopoly Case

Google loses bid for summary judgement as judge says 'too many facts in dispute' as…

8 hours ago

Silicon In Focus Podcast: Feeding the Machine

Learn how your business can meet the challenges associated with managing data across multiple platforms…

8 hours ago

Apple, Meta Likely To Face EU Antitrust Charges

Apple, Facebook parent Meta reportedly likely to face EU antitrust charges before August under new…

9 hours ago

Adobe Shares Jump On AI Success

Adobe shares post biggest gains in more than four years after it reports user take-up…

9 hours ago

Winklevoss’ Gemini To Pay $50m In Crypto Fraud Settlement

Winklevoss twins' Gemini Trust to pay $50m to settle cypto fraud claims over failed Gemini…

10 hours ago

Meta Delays EU AI Launch After Privacy Complaints

Meta delays Europe launch of AI in Europe after user, privacy group complaints over plans…

10 hours ago