Baidu Browser, a free web browser for the Windows and Android platforms produced by Baidu, manages and transmits user data during its operation, researchers say.
Baidu Browser offers a number of features beyond those found in standard browsers, including video and audio download tools and built-in torrent support.
Researchers at Canada-based Citizen Lab analyzed how Baidu Browser manages and transmits user data. The report identifies security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user’s geolocation, hardware identifiers, nearby wireless networks, web browsing data and search terms. Such user data is transmitted, in both the Windows and Android versions, unencrypted or with easily decryptable encryption, which means that any in-path actor could acquire this data by collecting the traffic and performing any necessary decryption. In addition, neither version of the application secures its software update process with a digital signature, which means that a malicious in-path actor could cause the browser to download and execute arbitrary code.
Previously, the researchers had been examining the security and privacy of popular mobile applications in Asia. They had similar concerns with UC Browser, a popular mobile web browser owned by China-based e-commerce giant Alibaba. That report documented UC Browser’s unencrypted transmission of sensitive user information, including IMSI, IMEI, Android ID, Wi-Fi MAC Address, geolocation data and user search queries. The security issues in UC Browser were identified in documents leaked by Edward Snowden that indicated the Five Eyes intelligence alliance, consisting of intelligence agencies from Canada, the United States, the United Kingdom, Australia and New Zealand, had used these vulnerabilities as a means of identifying users.
Thousands of apps running code built by Chinese Internet giant Baidu have collected and transmitted users' personal information to the company, much of it easily intercepted, researchers added.
Alibaba fixed those vulnerabilities, and Baidu said it would be fixing the encryption holes in its kits, but would still collect data for commercial use, some of which it said it shares with third parties.