Baidu browser found to drip personal data in the clear

The Baidu browser for Android and Windows has been shown by Toronto-based CitizenLab to not only collect the personal information of its users and send it back to the company's servers but do so with weak, or nonexistent, encryption.

The company's browser leaves users open to man in the middle attacks
The company's browser leaves users open to man in the middle attacks

The Baidu browser, developed by Chinese tech giant Baidu, drips information all over the place, according to researchers at Toronto-based Citizen Lab. 

They found that browsers made by ‘China's Google' collect and send more information than might otherwise be comfortable back to Baidu servers.

In the disclosing report, CitizenLab compiles “many weeks” of careful analysis involving the browser. What they found, according to Ronald Deibert, director of Citizen Lab, “was very worrying”.

The free browser, available for Windows and Android smartphones, collects GPS coordinates, search terms, page histories, hard drive serial numbers as well as a host of other pieces of data back to home base unencrypted or with easily breakable encryption.

This leaves phones running the Baidu browser open to man-in-the-middle attacks during software updates. But what does this mean in real terms, asked Deibert in a recent blogpost.

“Say you had Baidu Browser loaded on your mobile device and you connected to a Wi-Fi hotspot controlled by a criminal, spy, or some other nefarious group, maybe at a conference hotel, a coffee shop, or an airport. People with access to those networks would have been able to send malware to your phone disguised as a Baidu update and take over your phone and do anything they want with it."

Further research showed that the source of these leaks was the Baidu software development kit, which would in turn affect thousands of applications.

These applications were not just made by Baidu, but by third parties, and can be found on the Google Play Store and another site hosting thousands of such apps, which CitizenLab refers to as “one popular Chinese app store”.

Taken as a whole, these apps have been downloaded hundreds of millions of times. One, called ‘ES File Explorer File Manager' found on Google Play Store, had been downloaded as many as 500 million times.

CitizenLab contacted Baidu who claimed that they have already started encrypting the information the browser sends back to Baidu servers. By the end of February, Baidu's response reads, the Android version of the browser will be fully encrypted and the Windows version will be fully encrypted by the end of May this year.  The company stated that they'd also started notifying third-party app developers who may have used Baidu's software development kit.

SCMagazineUK.com spoke to Kaiser Kuo, Baidu's head of international communications, who said, “We attach tremendous importance to the protection and security of user information, and in order to protect Baidu products and ensure security we have built a complete set of effective security management systems that protect privacy through the lifecycle of a product, from initial product development to management of personnel involved in operations.”

Kuo added that, “Citizen Lab was very constructive in the way they worked with us. We believe we responded to their findings as quickly and as effectively as we were able and that, with their help, we have resolved any issues of potentially weak encryption in transmission of data.”

But why so many holes from what is considered to be one of China's most important tech companies? Deibert stated that it could be “poor design, or surveillance by design”. Certainly, the one-party state keeps a very close eye on what its citizens do online, attempting to prevent them from visiting certain seditious websites with its ‘Great Firewall'.

Jeffrey Knockel, chief researcher at CitizenLab, speculated that "Baidu felt pressure to rush features to market, and as a result they didn't follow norms common in the software industry." 

But, said Knockel, "They are transmitting so much sensitive information that I'm really concerned that they are sending a lot of this data in the first place."