Baidu browser leaks user data
Baidu browser for Android and Windows leaks users' personal data Reuters

Both the Android and Windows versions of the Baidu browser collect and transmit personal data of users to Baidu servers, according to new research. The Android version of the browser transmits data including users' GPS coordinates, search terms and URL visited, IMEI and list of nearby wireless networks.

The Windows version transmits the hard drive serial number model, the network MAC address, the URL and titles of the webpages and the CPU model number. While neither the Android nor the Windows version of the browser protects software updates, this could allow hackers to execute malicious activities.

After testing Android browser version 6.2.18.0 and version 7.6.100.2089 for Windows separately, Canada-based research firm Citizen Lab discovered these versions contained vulnerabilities raising privacy and security concerns. Another finding suggests the Windows version of the browser contains a feature to automatically make proxy requests to certain foreign-hosted websites.

Besides, analysis of the global version of the browser suggests the Baidu software development kit (SDK) affects hundreds of apps developed by Baidu as well as apps in the Google Play Store and the Chinese app store.

Baidu, which was recently accused of hosting fake advertisements, pornography and leaks of personal information, was originally released in 2011 and was based on Google's Chromium platform. It offers a number of features such as integrated videos, audio downloading tools, built-in torrent client and mouse gesture support.

Vulnerabilities

Not only the Chinese version of Baidu, but also the global version of the Android browser leaks user information due to the use of a common SDK called the Baidu Mobile Tongji (Analytics) SDK. The firm found 22, 548 unique app package names which contain the SDK variants responsible for leaking user data. Of these, 454 apps were from the Google Play Store and 6,672 in one of the popular app stores in China called hiapk.com.

Most of the malign apps in the Google Play Store are available for free and were installed more than a million times. The apps have not been named, but as Google Play Store is not accessible in China, these apps are likely to be available for users outside China.

Baidu's response

Biadu in its response said it was working to ensure data transmission is secure. "Baidu endeavours to collect data in a way consistent with the highest standards of security and user privacy in the industry," it said.

"We're grateful to Citizen Lab for being mindful of data security in transmission and we have already made substantial progress toward ensuring that any such transmission will be secure.

"We've improved the security review process and notified third-party app developers using previously vulnerable versions of certain SDKs, and we will continue to increase our security review and auditing process to ensure that the SDKs used by third parties are safe."

More about Baidu