Researchers find privacy problems in popular Baidu browser

February 26, 2016 by Alex Gillis
Researchers find privacy problems in popular Baidu browser
Android and Windows versions of the Baidu browser have been found to have security risks. Credit: Jon Russel via flickr

University of Toronto undergrad Jing Zhou knows a lot about surveillance issues in China and Canada, but even she's surprised by findings that hundreds of millions of people are at risk of hacking and surveillance because of a popular internet browser.

This week, the Citizen Lab at the University of Toronto's Munk School of Global Affairs released a report showing that the Android version of Baidu Browser, made by one of China's largest technology companies, leaks a user's location, browsing history and other data because of poor or missing encryption whenever the browser is used.

And the browser's Windows version leaks even more data, including computer serial numbers. Any individual, company and government can hack a device or spy on users' online habits.

Zhou is concerned about the human rights implications given the increasing number of people from China worried about hacking and surveillance. She helps to run a U of T student club called Choose Humanity, which raises awareness about human rights abuses.

"In Toronto, there are Chinese officials surveilling students, religious practitioners and community members," says Zhou, who moved from China to Canada in 2001 and is finishing a management degree at U of T. "Not only in Canada, but in China, the government and police track down your relations and monitor them."

Baidu runs the most used search engine in China – but it's also used around the world in Chinese, English and other languages.

Many of the vulnerabilities are due to missing or poor encryption used by something called software development kits (SDKs), which are present in more than 22,000 apps related to Baidu, researchers say. The apps have been downloaded billions of times.

"Baidu and anyone monitoring your traffic can use your hardware's serial numbers to track your GPS location, nearby wireless networks, and every unencrypted and encrypted web page you visit," says Jeffrey Knockel, the report's lead author and a senior researcher at the Citizen Lab. "Most users would have no way of knowing their personal data was being transmitted this way, and would be unable to prevent it."

In addition, Baidu Browser doesn't include special codes (a norm with other browsers) when it downloads routine software updates, which would allow hackers to secretly install malicious software on computers and phones.

In May 2015, Citizen Lab identified similar security concerns with UC Browser,​a popular browser owned by e­commerce giant Alibaba, also based in China. The in UC Browser were identified in documents leaked by Edward Snowden that revealed that intelligence agencies in Canada, the United States, the United Kingdom, Australia and New Zealand had used the vulnerabilities to identify users. 

The report is part of the Citizen Lab's ongoing research into p​rivacy and security of popular mobile applications used in Asia,​ including China's censorship of Google, Microsoft, and Yahoo search engines and its censorship and surveillance in TOM-Skype, a Chinese version of Skype.

In November 2015, Citizen Lab researchers notified Baidu of the browser's security issues. The company released updates that remedied some of the issues in January 2016, but many still remain unresolved.

"I wouldn't use Baidu anyway, as it's not as good as Google," Zhou says. "Now that I know about the problems, I'm glad that I can avoid it in Canada.

"They have to make Baidu more secure," Zhou says. "People don't have to undergo surveillance all the time."

Explore further: US senator wants Baidu to stop censorship

Related Stories

US senator wants Baidu to stop censorship

May 4, 2011

Assistant Senate majority leader Richard Durbin is calling on leading Chinese Internet firm Baidu to protect human rights and stop censoring search results.

China's Baidu releases new mobile browser

September 4, 2012

(AP)—Baidu Inc., which operates China's most popular search engine, has released a mobile browser and says it will invest in a cloud computing center as growth in Internet use shifts to mobile phones.

China's Baidu buys mobile app firm for $1.9 bn

July 16, 2013

China's leading web search engine Baidu is to buy a smartphone app distribution firm for $1.9 billion, it said Tuesday, in what is believed to be the largest takeover in the country's Internet industry.

Recommended for you

Inferring urban travel patterns from cellphone data

August 29, 2016

In making decisions about infrastructure development and resource allocation, city planners rely on models of how people move through their cities, on foot, in cars, and on public transportation. Those models are largely ...

How machine learning can help with voice disorders

August 29, 2016

There's no human instinct more basic than speech, and yet, for many people, talking can be taxing. 1 in 14 working-age Americans suffer from voice disorders that are often associated with abnormal vocal behaviors - some of ...

Apple issues update after cyber weapon captured

August 26, 2016

Apple iPhone owners on Friday were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.