Baidu Browser Still Leaks Personal Data, Researchers Warn

Web browsers created by Chinese search engine Baidu are not secure, Canadian security researchers have warned.

They said the Android and Windows browsers transmit personal user data to Baidu servers without encryption, or with easily breakable encryption.

Look Mum, No Encryption

Baidu is not a particularly well known brand in the West, but in its home market of China, it is a giant firm. And it seems to have a massive security flaw that it is endangering the the privacy of hundreds of millions of Chinese citizens.

According to The Citizen Lab, which is based at the University of Toronto in Canada, the Baidu browser has a seriously flaw as it transmits personal user data to Baidu servers without encryption or with easily decryptable encryption.

The researcher also warn it is “vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.”

The Citizen Lab provided a detailed breakdown of the problems with both the Android and Windows versions of the Baidu browser.

“The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption,” said the Citizen Lab.

Meanwhile it seems that the Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.

The researchers also warned that neither the Windows nor Android versions of Baidu Browser protect software updates with code signatures. This means that an attacker could potentially cause the application to download and execute arbitrary code.

The Citizen Lab blamed the data leakage on a shared Baidu software development kit (SDK). This SDK has apparently been used to create “hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.”

Shoddy Response

The Citizen Lab first notified Baidu of its discovery back on 26 November last year, and said it would publish its finding after 45 days, giving it time to patch the flaws.

Baidu initially pledged to fix the vulnerabilities via an update by no later than 24 January. But when it discovered the flaw affected not just its browser, but many other apps created via its SDK, it asked for an extension until 14 February. The Citizen Lab agreed.

Baidu duly updated both browsers, but The Citizen Lab then examined the updates and still found four general security and privacy issues in the updated Android browser, and that only one of the flaws in the updated Windows version had actually been fixed.

“It’s either shoddy design or it’s surveillance by design,” Citizen Lab director Ron Deibert told Reuters.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago