Media Releases

Researchers identify security and privacy issues in Baidu Browser

February 23, 2016

Toron­to, ON — A new report from the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab reveals that Baidu Brows­er, a pop­u­lar mobile brows­er based in Chi­na and used by mil­lions of peo­ple, has many pri­va­cy and secu­ri­ty issues that could put users’ com­mu­ni­ca­tions at risk.

Baidu Brows­er is avail­able in both an Android and Win­dows ver­sion, and the researchers found both con­tain sev­er­al prob­lems. The Android ver­sion trans­mits data such as a user’s search terms, GPS coor­di­nates, and URLs vis­it­ed in the brows­er to Baidu servers with­out encryp­tion. Oth­er data are sent with eas­i­ly decrypt­able encryp­tion. Sim­i­lar­ly, the Win­dows ver­sion of the app trans­mits a user’s search terms, hard dri­ve ser­i­al num­ber, wire­less MAC address, URL and title of vis­it­ed web pages and CPU mod­el num­ber with­out encryp­tion or with eas­i­ly decrypt­able encryp­tion.

The researchers’ analy­sis also shows that many of the leaks of sen­si­tive infor­ma­tion are the result of an ana­lyt­ics soft­ware devel­op­ment kit (SDK) that the researchers iden­ti­fied being used in hun­dreds of addi­tion­al appli­ca­tions devel­oped by both Baidu and third par­ties in the Google Play Store and thou­sands in one pop­u­lar Chi­nese app store, affect­ing poten­tial­ly mil­lions of oth­er uses in a kind of “col­lat­er­al expo­sure.”

The unen­crypt­ed and poor­ly encrypt­ed trans­mis­sion of this infor­ma­tion places sen­si­tive user data at risk of being exposed to sur­veil­lance by a num­ber of inter­me­di­aries, includ­ing a user’s ISP, wire­less net­work oper­a­tor, mobile car­ri­er or a mali­cious actor with net­work vis­i­bil­i­ty.

In addi­tion, nei­ther the Win­dows nor Android ver­sions of the appli­ca­tion pro­tect­ed soft­ware updates with code sig­na­tures, mean­ing that a mali­cious actor could cause the appli­ca­tion to down­load and run arbi­trary code. This vul­ner­a­bil­i­ty could poten­tial­ly lead to mali­cious code being installed on a user’s device with­out their knowl­edge.

The Cit­i­zen Lab, an inter­dis­ci­pli­nary research group at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to, has an ongo­ing research project on the pri­va­cy and secu­ri­ty of pop­u­lar mobile appli­ca­tions used in Asia. In May 2015, Cit­i­zen Lab research iden­ti­fied sim­i­lar secu­ri­ty con­cerns with UC Brows­er, a pop­u­lar mobile web brows­er owned by Chi­na-based e‑commerce giant Aliba­ba.

“When you’re using the brows­er, Baidu and any­one mon­i­tor­ing your traf­fic can use your hardware’s ser­i­al num­bers to track your GPS loca­tion, near­by wire­less net­works, and every unen­crypt­ed and encrypt­ed web page you vis­it,” says Jef­frey Knock­el, Senior Researcher at the Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to. “Even if you’re not using their brows­er, third-par­ty apps using their ana­lyt­ics SDK have sim­i­lar leaks. Most users would have no way of know­ing their per­son­al data was being trans­mit­ted this way and would be unable to pre­vent it. The extent of these issues and the ease with which they were found sug­gests that secu­ri­ty researchers need to bet­ter engage with soft­ware com­pa­nies in for­eign mar­kets.”

Cit­i­zen Lab researchers noti­fied Baidu of these secu­ri­ty issues in Novem­ber 2015 and Baidu released updates in Feb­ru­ary 2016. Analy­sis shows that while some of the issues have been reme­died in the updat­ed ver­sions, many of the secu­ri­ty issues iden­ti­fied remain unre­solved.

“The dig­i­tal ecosys­tem that sur­rounds us and to which we entrust our thoughts, habits, and move­ments is built upon a con­stant­ly shift­ing, often inse­cure, and yet high­ly inter­con­nect­ed foun­da­tion of mil­lions of devices and appli­ca­tions,” says Ron Deib­ert, Direc­tor of the Cit­i­zen Lab at the Munk School of Glob­al Affairs and Pro­fes­sor of Polit­i­cal Sci­ence at the Uni­ver­si­ty of Toron­to. “Our analy­sis of Baidu Brows­er shows pre­cise­ly why lift­ing the lid on this ecosys­tem is not only impor­tant for the pro­tec­tion of users’ pri­va­cy and secu­ri­ty, it should be seen as an urgent civic imper­a­tive.”

-30-

For media inquiries, con­tact:

Dena Allen
Pub­lic Affairs & Engage­ment
Munk School of Glob­al Affairs
Uni­ver­si­ty of Toron­to
Tele­phone: 416–946-0123
Mobile: 416–795-3902
dena.allen@utoronto.ca

Guide on Cit­ing in Media
Title: Baidu’s and Don’ts: Pri­va­cy and Secu­ri­ty Issues in Baidu Brows­er
Pub­lished By: The Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to
Pub­li­ca­tion Date: 22 Feb­ru­ary 2016
Report URL: https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser