Baidu web browsers leaked sensitive information, researchers say

23.02.2016
Two web browsers developed by Chinese search giant Baidu have been insecurely transmitting sensitive data across the Internet, putting users' privacy at risk, according to a new study.

Baidu responded by releasing software fixes, but researchers say not all the issues have been resolved.

The study was published Tuesday by Citizen Lab, a research group that's part of the University of Toronto. 

It focused on the Windows and Android versions of Baidu's browser, which are free products. It also found that sensitive data was leaked by thousands of apps that use a Baidu SDK (software development kit).

With the browsers, Citizen Lab found that a user's search terms, GPS coordinates, the addresses of websites visited and device's MAC (Media Access Control) address were sent to Baidu's servers without using SSL/TLS encryption.

"The transmission of personal data without properly implemented encryption can expose a user's data to surveillance," the report noted.

Other sensitive information, such as IMEI (International Mobile Station Equipment Identity) numbers, nearby Wi-Fi networks and their MAC addresses, and hard-drive serial numbers were transmitted with weak encryption that could be broken.

Neither web browser used digital code signatures for updates, meaning attackers could try to slip in their own code instead.

The government of China strictly controls Internet use, and Baidu can be required to hand over user data to intelligence agencies and law enforcement. The data collection raises questions about whether it could be used against those who oppose government policies.

"While Internet companies often collect personal user data for the normal and efficient provision of services, it is unclear why Baidu Browser collects and transmits such an extensive range of sensitive user data points," the report said.

Citizen Lab also found that thousands of mobile apps that use Baidu's mobile analytics SDK transmit the same sensitive information back to the company.

"Any app that uses this SDK for statistics and event tracking sends messages to Baidu’s servers," the report said.

Baidu officials could not be immediately reached for comment, but Citizen Lab published a document with questions it posed and answers from the company.

Baidu doesn't answer a question about what user data is it required to retain under Chinese law. It also says it was unable to comment on why requests using its browsers to visit websites outside of China went through a proxy server.

But Baidu said it has improved security based on the researchers' findings. For example, it said data transmitted by the Android browser would be fully encrypted by the end of this month, and for the Windows browser by early May.

Jeremy Kirk