Media Releases

Researchers identify major security and privacy issues in Popular China Browser Application, QQ

March 28, 2016

Toron­to, ON — A new study from the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab iden­ti­fies secu­ri­ty and pri­va­cy issues in QQ Brows­er, a mobile brows­er pro­duced by Chi­na-based Inter­net giant Ten­cent, which may put many mil­lions of users of the appli­ca­tion at risk of seri­ous com­pro­mise.

Cit­i­zen Lab researchers iden­ti­fied prob­lems in both the Android and Win­dows ver­sions of the appli­ca­tion. The Android ver­sion of the brows­er trans­mits per­son­al­ly iden­ti­fi­able data, includ­ing a user’s search terms, the URLs of vis­it­ed web­sites, near­by WiFi access points, and the user’s IMSI and IMEI iden­ti­fiers, with­out encryp­tion or with eas­i­ly decrypt­ed encryp­tion. Sim­i­lar­ly, the Win­dows ver­sion sends per­son­al­ly iden­ti­fi­able data, includ­ing the URL of all pages vis­it­ed in the brows­er, a user’s hard dri­ve ser­i­al num­ber, MAC address, Win­dows host­name, and Win­dows user secu­ri­ty iden­ti­fi­er, also with­out encryp­tion or with eas­i­ly decrypt­ed decryp­tion.

The trans­mis­sion of per­son­al­ly iden­ti­fi­able user data with­out prop­er­ly imple­ment­ed encryp­tion leaves this data vul­ner­a­ble to sur­veil­lance by a num­ber of inter­me­di­aries, includ­ing a user’s ISP, wire­less net­work oper­a­tor, mobile car­ri­er, a mali­cious actor with net­work vis­i­bil­i­ty, and/or a gov­ern­ment agency with access to any of those inter­me­di­aries.

“QQ Brows­er phones home infor­ma­tion on your device’s hard­ware ser­i­al num­bers and tracks your loca­tion and every page you vis­it. Even the per­son you trust most does not have access to this amount of infor­ma­tion on you and yet QQ receives it from every­one who uses their brows­er,” said Jef­frey Knock­el, Senior Researcher at the Cit­i­zen Lab at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs

In addi­tion, both the Win­dows and Android ver­sions of the appli­ca­tion did not ade­quate­ly pro­tect the soft­ware update process, which leaves the appli­ca­tion vul­ner­a­ble to the exe­cu­tion of arbi­trary code. This means that a user could be deceived by a mali­cious actor into installing mal­ware with­out their knowl­edge dur­ing the QQ Brows­er update process.

Cit­i­zen Lab researchers dis­closed these vul­ner­a­bil­i­ties to Ten­cent on Feb­ru­ary 5, 2016. Ten­cent secu­ri­ty engi­neers acknowl­edged these secu­ri­ty con­cerns and released updat­ed ver­sions of both the Win­dows and Android ver­sions of the appli­ca­tion in March 2016.  Analy­sis by Cit­i­zen Lab researchers showed that some of the prob­lems iden­ti­fied were resolved, while oth­ers remain.

The Cit­i­zen Lab’s Direc­tor, Ron Deib­ert, also sent ques­tions to Ten­cent seek­ing com­ment on the rea­sons for the vul­ner­a­bil­i­ties and data col­lec­tion issues, specif­i­cal­ly request­ing com­ment on whether the com­pa­ny is fol­low­ing state direc­tives. Chi­na main­tains one of the world’s most exten­sive cen­sor­ship and sur­veil­lance regimes and all com­pa­nies are required by law to fol­low state reg­u­la­tions. China’s anti-ter­ror­ism law, which came into effect on Jan­u­ary 1, 2016, includes require­ments for telecom­mu­ni­ca­tions oper­a­tors and Inter­net ser­vice providers to “pro­vide tech­ni­cal inter­faces, decryp­tion, and oth­er tech­ni­cal sup­port assis­tance to pub­lic secu­ri­ty organs and state secu­ri­ty organs con­duct­ing pre­ven­tion and inves­ti­ga­tion of ter­ror­ist activ­i­ties in accor­dance with law”. As of the date of pub­li­ca­tion, how­ev­er, Ten­cent has not replied to the Cit­i­zen Lab let­ter.

“Most users would like­ly be sur­prised to dis­cov­er the extent of per­son­al­ly iden­ti­fi­able data that the appli­ca­tion is col­lect­ing, and would like­ly be trou­bled to find it is being trans­mit­ted in an inse­cure man­ner. If devel­op­ers are going to be col­lect­ing this data, it is imper­a­tive that they use wide­ly-accept­ed meth­ods of trans­mit­ting the data in a more secure way,” said Adam Sen­ft, Researcher at the Cit­i­zen Lab at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs.

This is the third web brows­er pro­duced by a Chi­na-based com­pa­ny that Cit­i­zen Lab researchers have iden­ti­fied secu­ri­ty issues with. In May 2015, Cit­i­zen Lab research iden­ti­fied sim­i­lar secu­ri­ty con­cerns with UC Brows­er, a pop­u­lar mobile web brows­er owned by Chi­na-based e‑commerce giant Aliba­ba. In Feb­ru­ary 2016, Cit­i­zen Lab pub­lished a report describ­ing sim­i­lar secu­ri­ty con­cerns with Baidu Brows­er, a web brows­er pro­duced by Chi­na-based Baidu.

“The col­lec­tion of such sen­si­tive infor­ma­tion about a user, and its inse­cure trans­mis­sion across net­works, is dis­turb­ing regard­less of where it takes place. But the fact that this is being under­tak­en in a con­text like Chi­na — where there is exten­sive sur­veil­lance, com­pa­nies are required by law to share user data with author­i­ties on demand, and dis­si­dents are rou­tine­ly incar­cer­at­ed for oppo­si­tion to the gov­ern­ment — is a seri­ous mat­ter of per­son­al secu­ri­ty and human rights,” said Ron Deib­ert, Direc­tor of the Cit­i­zen Lab at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs.

-30-

For media inquiries, con­tact:

Dena Allen
Pub­lic Affairs & Engage­ment
Munk School of Glob­al Affairs
Uni­ver­si­ty of Toron­to
Tel: 416–946-0123
Mob: 416–795-3902
dena.allen@utoronto.ca

Guide on Cit­ing in Media
Title: WUP! There It Is: Pri­va­cy and Secu­ri­ty Issues in QQ Brows­er
Pub­lished By: The Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to
Pub­li­ca­tion Date: 28 March 2016
Report URL: https://citizenlab.org/2016/03/privacy-security-issues-qq-browser/