Tencent, a major Chinese web browser with millions of users around the world, has been found leaking data with which users can be identified, tracked and attacked.
A major Chinese web browser – with around 16 million non-Chinese users - leaks personal data that means its users can be identified, tracked and suffer man-in-the-middle attacks, according to noted Canadian privacy researchers Citizen Lab.
What's more is that the flaws in QQ Browser from China's £11 billion turnover Tencent are “strikingly similar to security vulnerabilities” the researchers found last year in AliBaba's UC Browser and Baidu's Baidu Browser – raising privacy and security questions about all three of China's top browsers, affecting hundreds of millions of users.
In its latest 28 March report, Citizen Lab says both the Android and Windows versions of QQ Browser transmit personally identifiable data to Tencent without encryption or with easily cracked crypto, and are also vulnerable to arbitrary code execution during software updates. Between them, the two versions exposed unique user data, nearby WiFi access points, search queries and web pages they visited.
Citizen Lab points out that Edward Snowden-leaked documents show such vulnerabilities are actively used by intelligence agencies to identify and track users.
Citizen Lab adds: “This insecure data transmission means any in-path actor - such as a user's ISP, a coffee shop WiFi network, or a malicious actor with network visibility across any of these access points – could acquire this personal data by collecting traffic and performing any necessary decryption. In addition, in both tested versions a malicious actor would be able to spoof a software update to install malicious code on a user's device.”
In its report, Citizen Lab demonstrates man-in-the-middle attacks on both the Android and Windows browsers.
It adds: “Our analyses of QQ Browser, Baidu Browser and UC Browser have shown that all three popular browsers made by three of the biggest tech companies in the world contain strikingly similar security vulnerabilities. The breadth of data collected is arguably excessive, and would likely raise concerns among the users of these applications were they aware of it. It would be especially concerning for high-risk users, which in China could include democracy activists, journalists, human rights advocates, lawyers and others.”
According to latest figures, QQ Browser is installed by nearly half of all Chinese mobile browser users, and had 16 million non-Chinese users in 2012, the vast majority of whom are in other Asian countries. Supplier Tencent is one of China's largest tech companies and sells the two of the world's most popular instant messaging platforms, WeChat and QQ.
Citizen Lab alerted Tencent to the QQ Browser problems in February. It responded by issuing new Android 6.4.2 and Windows 9.3.6872 versions earlier this month. But Citizen Lab says of the updates: “Some of our reported issues have been partially resolved and some remain unresolved.”
Analysing Citizen Lab's findings, UK privacy expert Professor John Walker of Nottingham-Trent University and director of cyber-security services firm Hexforensics, said the problems are severe enough to stop companies using QQ Browser.
He told SCMagazineUK.com via email: “Whether the security exposures in this product are driven by state-sponsored direction or are just down to sloppy coding, the same conclusion is that this is not a product that is synonymous with security, and therefore should not be used by user or company.
“It also places a question mark over an Internet of Things where users are eager to try the latest online tools without qualified understanding of any security implications which may be present. In this case – where the QQ Browser may represent an interface to the web where the user trustingly inputs their public, private and sensitive data - the implications can be assessed as severe.”
In its report, Citizen Lab questions whether there is an underlying reason why all three Chinese browser apps exhibit similar insecurities. It speculates that this could be down to a combination of “common engineering norms the browser developers are following which are particularly loose in terms of privacy and security”, and “directives from the government or informal pressure from state security officials to build in a kind of ‘surveillance by design'.”
Citizen Lab emphasises: “We have no explicit evidence that the government of China directed these specific design choices.” But while it has directly asked Tencent why it designed QQ browser to transmit sensitive user data and who it shares it with, it has had no response so far.
Commenting on this Jens Monrad, a global threat analyst with FireEye, told SC via email: “There is no solid evidence that poor privacy and/or security may be from state pressure, so it is pure speculation whether someone was forced to develop products with weaker security, offering the state a backdoor for surveillance, monitoring or control. But historically there have been several published reports on strict internet usage as well as internet censorship in China. Chinese web browsers tend to collect much more information than the top browsers from outside China and this information typically makes it easier to link activity to a specific individual.
“However, I do not believe it is possible to offer some sort of state backdoor into a product or technology, without exposing the users as well as the product to a potential harmful third party. This is in parallel with the ongoing discussion about state backdoors for cyber, as there is no guarantee that it will remain only accessible to the ones it was designed for and also raises the question around general mass surveillance and right to privacy on the internet."Citizen Lab's report adds: “Tencent's messaging apps have been the focus of controversy in the past, with China-based dissidents expressing concern that their WeChat communications may have been monitored by Chinese authorities. In response, Tencent stated ‘We have taken user data protection seriously in our product development and daily operations, and like other international peers we comply with relevant laws in the countries where we have operations'.”