More like this

Security

Browser made by China's top search engine leaks almost everything

Hide our snooping? Why bother asks China's Google clone

Sit down, so you don't injure yourself falling down in surprise: the browser provided by China's Baidu is a privacy nightmare.

That's the conclusion of Canada's Citizen Lab, which watched the wire while the browser was running and needed a lie-down itself from what it found.

Baidu is China's top search engine and, like Google, the company has branched out into advertising and provides a browser. Like all substantial enterprises in China, Baidu does its best to stay on the right side of written and unwritten government policy.

Citizen Labs'assessment of the company's browser says it "... collects and transmits a lot of personal user data back to Baidu servers that we believe goes far beyond what should be collected, and it does so either without encryption, or with easily decryptable encryption”

The Android version of the browser spaffs home office servers with unencrypted GPS coordinates, search terms, and URLs visited. Weak encryption is applied to the IMEI number and identifiers of nearby WiFi hotspots.

The Windows version is even more chatty, firing off “search terms, hard drive serial number, network MAC address, title of all webpages visited and GPU model number”.

Since the information passes in the clear, it can also be snooped by telecommunications carriers, ISPs, and public WiFi operators.

Then there's the matter of user protection: there isn't any to speak of. Quoting Citizen Labs again: “neither the Windows nor the Android version of Baidu Browser protect software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code”.

The only way things could be worse would be if it was coded this way deliberately. That would never happen, would it?

Baidu answered Citizen Labs' questions here. ®

Sponsored: 2016 Cyberthreat defense report