Chinese Internet giant Baidu -- a combination between Google, Facebook and Twitter, with key investments in many companies, including Uber -- makes its own Windows/Android browser, long believed to be a de facto surveillance tool.
An investigation by Citizen Lab found that Baidu Browser transmits lots of personal data to Baidu, the sort of thing Android collects for Google -- location, search terms, nearby wifi networks -- and some they don't (hard drive serial numbers, browser history) but without the kind of security that Google uses. All that data is either transmitted in the clear, or with badly implemented cryptography that can be easily broken.
It's also a remarkably badly secured tool: Baidu Browser accepts unsigned updates, allowing malicious updates from third parties. Hilariously, Baidu's design decisions allow for circumvention of China's censoring great firewall, seemingly by accident (the browser uses a proxy that is meant to fix slowdowns caused by the country's censorship regime).
Many of Baidu's defects come from its SDK, widely used by Android app developers, meaning these vulnerabilities affect thousands of apps.
Baidu was notified of these vulnerabilities prior to Citizen Lab's publication, and has apparently patched some of the issues Citizen Lab identified.
Baidu Browser, a web browser for the Windows and Android platforms, transmits personal user data to Baidu servers without encryption and with easily decryptable encryption, and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks.
The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption.
The Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.
Neither the Windows nor Android versions of Baidu Browser protect software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code, representing a significant security risk.
The Windows version of Baidu Browser contains a feature to proxy requests to certain websites, which permits access to some websites that are normally blocked in China.
Analysis of the global versions of Baidu Browser indicates that the data leakage is the result of a shared Baidu software development kit (SDK),1 which affects hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.
Please see the “Update: Analysis of updated versions of Baidu Browser” section at the end of this report for updates on these issues, following our disclosure to the vendor and our analysis of the latest versions released prior to publication.
[Jeffrey Knockel, Sarah McKune and Adam Senft/Citizen Lab]
(Image: Baidu headquarters, Kokuyo, CC-BY-SA)