Baidu, the browser and web services company that is quite like the Chinese Google, has just been involved in a privacy scandal. According to security researchers, the Baidu browser for both Windows and Android acts like an infostealer, collecting information from its users and sending it to Baidu’s servers.
A research by Citizen Lab indicates that Baidu invades its users’ privacy by collecting data. However, there’s not a single web-based services company that doesn’t do the obligatory data collection. So, where is the catch?
The catch here is that Baidu does the data collection in a very unsecure way – via connections that are either unencrypted or easy to decrypt.
Learn More about Encryption Security: APO Encryption Software
What kind of information does the Android Baidu version collect? Here is the list:
- Details about the operating system;
- Browsing and search history;
- The device’s IMEI (International Mobile Station Equipment Identity);
- The device’s last GPS location;
- Nearby WiFi networks and local MAC addresses;
What about the Windows version of the browser? Here we go:
- Search and browsing history;
- CPU model;
- MAC address;
- Hard disk drive model, serial number;
- File system volume number.
The browser would collect and send all that information upon startup, whenever the user is typing content in the address bar and on a page view.
More Flaws in Other Baidu Products
In addition, Citizen Lab, in cooperation with another security vendor, Lookout, revealed a range of vulnerabilities in other Baidu products. The biggest problem pointed at an SDK (software development kid) found in 22,548 app packages. In November 2015, Trend Micro experts reported a similar Baidu SDK, located in 14,112 Android applications. Such SDKs can be easily used to install backdoors on users’ devices.
More on the Subject: Taomike SDK Library Spies on SMS in 18,000 Android Apps
Another troubling issue should be added to the list of Baidu’s vulnerabilities. The browser would check for updates and download them without applying code signatures. A lack of code signatures could cause MitM (man-in-the-middle) type of attacks. In such a scenario, an attacker can send out malicious files to users, masqueraded as Baidu updates.
Did Baidu Fix the Issues?
The security researchers contacted Baidu, letting them know of their findings. Here’s a small part of the Chinese company’s answer:
We’re grateful of Citizen Lab for being mindful of data security in transmission and we have already made substantial progress toward ensuring that any such transmission will be secure. Our timetable for making remaining changes to encrypted transmission are detailed […].