The Baidu Browser has been discovered to be a massive security and privacy breach on both Android and Windows. Built and distributed by Chinese technology giant Baidu, the browser has been discovered to transmit user GPS location, search terms, URLs visited, MAC addresses, HDD serial numbers, CPU model numbers, and even file system serial numbers. All over a badly implemented encryption system.
The privacy issues were first discovered by Citizen Lab, a research group from the University of Toronto. The group also found that the update system for the Baidu Browser was vulnerable to man-in-the-middle attacks; although that security issue appears to have been fixed by now.
On the other hand, Baidu has not provided a reason for needing to store all that user information. Despite this, the company responded to Citizen Lab’s request for more information by saying that its servers are protected by state-of-the-art security systems.
While the amount of information being transmitted back to Baidu servers is troubling, the fact that the encryption used is barely up to standard makes the situation worse. Citizen Lab discovered that the browser uses symmetrical encryption and hard-coded keys, which is much easier to crack than the modern assymmetrical encryption. Baidu says that it is in the process of upgrading its servers to increase security.
Baidu’s browser is not entirely all that popular outside China, which makes this security issue slightly less troubling. That being said, this sort of behaviour is unacceptable for just about any application – especially one that has access to so much user information.
[Source: Citizen Lab]