Baidu Browser found to be Leaking Personal User Data – What it means for you
You’ve probably heard of Baidu before. Known somewhat as China’s Google (though that may change if Google finally decides to re-enter the market this year), the mammoth search engine giant/advertising platform/online encyclopedia has dabbled in developing numerous applications designed around its service ecosystem for both Android and Windows (much like Google).
These apps have millions of users, most of whom are located in China, but as evidenced by the install count of Baidu Browser and other apps on the Play Store, there are a lot of users outside of China as well. Which makes a recent report from Toronto’s Citizen Lab all the more worrying. According to the group, Baidu Browser has been caught leaking sensitive personal information from its users.
Baidu Not Track
The firm has summarized its research of Baidu Browser’s security failings into several key findings:
- Baidu Browser, a web browser for the Windows and Android platforms, transmits personal user data to Baidu servers without encryption and with easily decryptable encryption, and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.
- The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption.
- The Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.
- Neither the Windows nor Android versions of Baidu Browser protect software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code, representing a significant security risk.
- The Windows version of Baidu Browser contains a feature to proxy requests to certain websites, which permits access to some websites that are normally blocked in China.
- Analysis of the global versions of Baidu Browser indicates that the data leakage is the result of a shared Baidu software development kit (SDK),1 which affects hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.
If you’ve installed the browser, or any application that was developed using the Baidu SDK (such as ES File Explorer), then it’s possible some of your personal data may have been compromised. The security leakage found in applications developed using Baidu’s SDK is massive, and the fact that the data was transmitted unencrypted (or with easily decryptable encryption) shows how little effort Baidu took in securing your personal data. Was it all transmitted to the Chinese government? While we can’t confirm either way, Baidu denies any such allegation according to a statement made to Citizen Lab.
Baidu’s and Don’ts
To be fair to Baidu, they have patched some of the security holes leading to leaked sensitive data. Keyword “some.” After Citizen Lab performed its due diligence and reported the security issues to the company, Baidu updated its application. Citizen Lab re-tested Baidu’s browser, and found the following for the Android version:
- Leaks sensitive data on startup and Phones home with sensitive data about every page view
- These issues appear to have been resolved insofar as the same information appears to be communicated by the application to Baidu servers but now it is encrypted using SSL.
- Leaks sensitive data and address bar contents when inputting into address bar
- This issue remains unresolved. In our communications with Baidu, they indicated they would not be fixing this issue. However, in addition to the contents of user searches, the browser still also includes sensitive data such as a user’s IMEI in an easily decryptable format in the request URL
- Insecurely checks for software updates
- This issue has been resolved. Software updates are now checked using HTTPS.
And for the Windows version:
- Leaks address bar contents when inputting into address bar
- This issues remains unresolved. In our communications with Baidu, they indicated they would not be fixing this issue.
- Communicates with Baidu servers via an easily decryptable protocol and Phones home information about every page view that includes hardware serial numbers
- These issues remain unresolved. Our analysis indicates that data is still transmitted with easily decryptable encryption. In addition, every protobuf request sent to the dr.br.baidu.com domain now includes the user’s hard drive serial number and MAC access unencrypted in the header, a behavior not identified in the earlier version 220.127.116.119 of the application that we analyzed in this report.
- Insecurely checks for software updates
- The application still checks for software updates unencrypted over HTTP; however, it now verifies the authenticode digital signature of the downloaded update to have been signed by Baidu.
So in short, most of the critical security compromises allowing malicious attackers from taking over your browser have been patched, and your data is now safe from leakage (albeit still being transmitted to Baidu’s servers itself). If you’re worried about third-parties from getting a look at your personal data, then you’re safe for now. But if you’re worried about the Chinese government or Baidu selling your data, well, then you’ll remain skeptical of the app. We hope such a security issue doesn’t turn you off of applications made by Chinese developers, but rather makes you more critical of what apps you’re installing and what permissions they request.
Ever used Baidu? If so, let us know in the comments!