Menu
Baidu web browsers leaked sensitive information, researchers say

Baidu web browsers leaked sensitive information, researchers say

Baidu has fixed some of the issues, but others remain

Two web browsers developed by Chinese search giant Baidu have been insecurely transmitting sensitive data across the Internet, putting users' privacy at risk, according to a new study.

Baidu responded by releasing software fixes, but researchers say not all the issues have been resolved.

The study was published Tuesday by Citizen Lab, a research group that's part of the University of Toronto. 

It focused on the Windows and Android versions of Baidu's browser, which are free products. It also found that sensitive data was leaked by thousands of apps that use a Baidu SDK (software development kit).

With the browsers, Citizen Lab found that a user's search terms, GPS coordinates, the addresses of websites visited and device's MAC (Media Access Control) address were sent to Baidu's servers without using SSL/TLS encryption.

"The transmission of personal data without properly implemented encryption can expose a user's data to surveillance," the report noted.

Other sensitive information, such as IMEI (International Mobile Station Equipment Identity) numbers, nearby Wi-Fi networks and their MAC addresses, and hard-drive serial numbers were transmitted with weak encryption that could be broken.

Neither web browser used digital code signatures for updates, meaning attackers could try to slip in their own code instead.

The government of China strictly controls Internet use, and Baidu can be required to hand over user data to intelligence agencies and law enforcement. The data collection raises questions about whether it could be used against those who oppose government policies.

"While Internet companies often collect personal user data for the normal and efficient provision of services, it is unclear why Baidu Browser collects and transmits such an extensive range of sensitive user data points," the report said.

Citizen Lab also found that thousands of mobile apps that use Baidu's mobile analytics SDK transmit the same sensitive information back to the company.

"Any app that uses this SDK for statistics and event tracking sends messages to Baidu’s servers," the report said.

Baidu officials could not be immediately reached for comment, but Citizen Lab published a document with questions it posed and answers from the company.

Baidu doesn't answer a question about what user data is it required to retain under Chinese law. It also says it was unable to comment on why requests using its browsers to visit websites outside of China went through a proxy server.

But Baidu said it has improved security based on the researchers' findings. For example, it said data transmitted by the Android browser would be fully encrypted by the end of this month, and for the Windows browser by early May.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments