Web browsers created by Chinese search engine Baidu are not secure, Canadian security researchers have warned.
They said the Android and Windows browsers transmit personal user data to Baidu servers without encryption, or with easily breakable encryption.
Baidu is not a particularly well known brand in the West, but in its home market of China, it is a giant firm. And it seems to have a massive security flaw that it is endangering the the privacy of hundreds of millions of Chinese citizens.
According to The Citizen Lab, which is based at the University of Toronto in Canada, the Baidu browser has a seriously flaw as it transmits personal user data to Baidu servers without encryption or with easily decryptable encryption.
The researcher also warn it is “vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.”
The Citizen Lab provided a detailed breakdown of the problems with both the Android and Windows versions of the Baidu browser.
Meanwhile it seems that the Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.
The researchers also warned that neither the Windows nor Android versions of Baidu Browser protect software updates with code signatures. This means that an attacker could potentially cause the application to download and execute arbitrary code.
The Citizen Lab blamed the data leakage on a shared Baidu software development kit (SDK). This SDK has apparently been used to create “hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.”
The Citizen Lab first notified Baidu of its discovery back on 26 November last year, and said it would publish its finding after 45 days, giving it time to patch the flaws.
Baidu initially pledged to fix the vulnerabilities via an update by no later than 24 January. But when it discovered the flaw affected not just its browser, but many other apps created via its SDK, it asked for an extension until 14 February. The Citizen Lab agreed.
Baidu duly updated both browsers, but The Citizen Lab then examined the updates and still found four general security and privacy issues in the updated Android browser, and that only one of the flaws in the updated Windows version had actually been fixed.
“It’s either shoddy design or it’s surveillance by design,” Citizen Lab director Ron Deibert told Reuters.
Are you a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…