A new report alleges that popular web browser Baidu is riddled with security holes, making it highly vulnerable to attacks. The problems affect both its Android and Windows platforms, in addition to hundreds of other apps developed by the company.
Citizen Lab, a research outfit operating within the University of Toronto, claims that Baidu Browser sends out sensitive user information without encryption or easily breakable encryption to its servers. It’s additionally defenseless against man-in-the-middle assaults during software updates.
The range of information which could potentially get stolen is staggering. An attacker could easily get their hands on an Android user’s IMEI number, GPS coordinates, URLs visited, search queries, and a list of nearby wireless networks. Similarly, the Windows version transmits the network’s MAC address, CPU model number, and HDD serial number without sufficient security.
Furthermore, both platforms are at a major safety risk from hackers while updating Baidu Browser. An in-path malicious actor might take advantage of the lack of code signature safeguards during the upgrade process to force the program to download and execute arbitrary code.
Citizen Lab thinks these data leaks are taking place because of the Baidu software development kit. This SDK is used by hundreds of apps built by the brand and third parties for the Google Play Store and a popular Chinese app store. The research team behind the findings chose to inform the company before they published the results in order to give it time to resolve the issues.
Baidu subsequently sent out an update for its browser. However, Citizen Lab claims the company has fixed very little. Most of the security vulnerabilities still exist, with a few exceptions here and there. For instance, software updates in Android now take place using HTTPS.
In response to Citizen Lab’s questions, Baidu said it stores records in secure datacenters and shares only non-sensitive information with commercial parties. This doesn’t explain why it collects so much personal data, though. Most users probably aren’t even aware of the extent of this intrusion into their privacy.