jeudi 25 février 2016

Baidu's browser leaks sensitive information

leaky_pipe

The browser provided by Baidu (China's answer to Google), leaks all kinds of personal data. Researchers at Canada’s Citizen Lab tested the browser and concluded it "collects and transmits a lot of personal user data back to Baidu servers that we believe goes far beyond what should be collected, and it does so either without encryption, or with easily decryptable encryption".

The Android version of the browser is even worse: "Data collected and transmitted in the Android version without any encryption includes a user’s GPS coordinates, search terms, and URLs visited. The user’s IMEI and nearby wireless networks are sent with easily decryptable encryption".

The Windows version leaks search terms, hard drive serial number, network MAC address, as well as the title of all visited webpages. GPU model number is also transmitted.

At this point, things just become ridiculous. Neither the Windows nor Android versions of the browser protect their software updates with code signatures. That means a hacker could, quite easily, make the app download and execute malicious code.

But it’s not just the Chinese whose data could be leaking here. The researchers believe pretty much everyone could be at risk here, as the Baidu Browser’s software development kit is "repurposed and employed in thousands of other applications developed by Baidu and third parties, affecting potentially hundreds of millions of users".

"Thousands of other applications, many of them available on the Google Play Store outside of China, and some of which have been installed hundreds of millions of times, contain the same flaws, and are sending back the same detailed information, to Baidu servers", Citizen Lab concludes.

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.

Photo credit: Jamie Wilson / Shutterstock



Aucun commentaire:

Enregistrer un commentaire