A new study reveals that the mobile browser of Chinese tech giant Baidu transmits users’ personal information with little to no encryption.
On Tuesday, Citizen Lab researchers Jeffrey Knockel, Sarah McKune, and Adam Senft published a report in which they examined how Baidu’s mobile browser transmits and handles user data.
Their efforts revealed a number of security and privacy shortcomings.
For example, the research team found on Android devices that the mobile browser transmits users’ GPS coordinates, search terms entered into the browser’s address bar, and URLs without any encryption. Baidu also sends user devices’ IMEI number, nearby wireless networks, and MAC addresses, among other pieces of information, and protects them by a poor encryption scheme, Citizen Lab found.
As for its Windows version, the browser transmits search terms in the clear and sends a variety of personal information, including several identifiers for the device’s hard disk, with easily breakable encryption protection.
“The transmission of personal data without properly implemented encryption can expose a user’s data to surveillance,” the researchers explain. “Any in-path actor, which could include a user’s ISP, wireless network operator (such as a coffee shop Wi-Fi connection), mobile carrier, or a malicious actor with network visibility, would have visibility into the unencrypted data transmitted from this application. Further, an in-path actor would be able to decrypt the encrypted communications sent by this application with relative ease as a result of the methods used to encrypt this traffic. Such interception would permit the discovery of a user’s physical location, the terms for which they are searching, nearby wireless networks, and a number of digital fingerprints of their physical hardware. Users would have no way of knowing their data was surveilled in such a manner, and most would be unaware that such data was transmitted by the application at all.”
Citizen Lab first notified Baidu of the issues reported on in its study back in November of 2015. Since then, the Chinese tech giant has fixed a number of the weaknesses.
Even so, some of the flaws, including transmission of search bar terms, remain unresolved.
News of this report follows an alteration in the code of Baidu’s Analytics last summer that resulted in a distributed denial-of-service (DDoS) attack against code repository GitHub.