Baidu Browser Acts Like a Mildly Tempered Infostealer Virus

An anonymous reader writes: The Baidu Web browser for Windows and Android exhibits behavior that could easily be categorized by a security researcher as an infostealer virus because the browser collects information on its users, and then sends it to Baidu's home servers.

Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models, CPU serials, and personal browsing history. The browser collected and sent this information on startup, when the user started typing content in his address bar, and on any page view. Some of this was sent via unencrypted connections. Additionally, the browser update did not use code signatures, meaning you could man-in-the-middle the connection and send anything you'd like to the browser, from Pokemon games to banking trojans, and have it installed locally.

All 'telemetry' is SPYING.

All 'telemetry' is SPYING.

True to life

[avandesande]

The is the first time I have heard of the browser and the name 'Baidu' elicits the sense of something that you would not trust from some Asian origin.

Re:True to life

Baidu is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

Re:True to life

[tnk1]

Yes. You should not instantly mistrust it because it sounds Asian. That would be wrong.

You should mistrust it because this is Baidu you're talking about here.

Re:True to life

Baidu is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

As a Chinese "Google," it also 100% caves into any and all government requests for censorship, page removal, data, whatever. You know there's a reason why there is no google.cn, right? And why half the time Google and all its services are blocked (not sure of the current state--it tends to go back and forth) in China.

Re:True to life

[wardrich86]

I could be mistaking it for another Chinese company, but I believe this is not the first time Baidu has come under fire for phoning home excessively and with unrelated data.

Re:True to life

[Flavianoep]

Baidu is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

Who cares about the Alexa rank of site? Yahoo.com is also one of the five most visited websites in the world and people here keep saying it's not relevant anymore.

Re:True to life

Baidu is the equivalent of Google (which is blocked in China but wasn't that popular to begin with) for 1.3 billion Chinese. It's the first place they go to search. Like Google, there are alternatives. When my phone broke in China and I had to buy a new Android phone, it came (like most phones in the Chinese market) with Baidu everything -- Baidu app store, Baidu browser default, etc. Remember that Google (including Google play) is blocked, so these are the default Android apps. In other words, it has a pretty whopping huge installed base. I guess by default I just assumed that the Chinese government could easily acquire any information on that phone, so I just didn't store all that much. Not that it's really that different from being spied on by Google/NSA, but one gets the feeling that they sometimes act more directly on the information they collect.

Re:True to life

[softnewsit]

By the way Google got forced out of China, that company is 101% in cahoots with the government.

Re:True to life

According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

There are 1.3 billion people in China, where google is banned and blocked, so I'm not sure why you're surprised that their government's replacement is one of the most heavily visited on the planet. Or why you'd be surprised that it's heavily monitored, or why you'd be surprised that the App for it does everything it can to suck as much data as it can on anyone who uses it.

Re:True to life

[barbariccow]

yahooooooooooooooooooooooooooooooo toolbarrrrrr

Re:True to life

[allo]

It's just wrong, yahoo is still the favourite search engine for many, even when they start by typing yahoo in their google searchtoolbar.

China.

What else would you expect?

Re:China.

microsoft, google, and facebook are u.s. companies... datamining users for fun and profit and for government goodwill is not country-specific.

Re: China.

A copy of something successful, so yeah, spot on, Chinese Google.

Re:China.

[DahGhostfacedFiddlah]

With the number of hacks coming from China, I'd at least expect them to understand the value of signing their code.

Re:China.

[mjwx]

microsoft, google, and facebook are u.s. companies... datamining users for fun and profit and for government goodwill is not country-specific.

Yes, but Facebook, Google, Apple and Microsoft are all Companies, therefore any action they take is doubleplus(R) good(TM). Baidu is partially state owned by the Chinese, therefore that is Baaaaad.

It seems like you're starting to de-capitalise comrade, report to the neared Rand centre for re-education citizen.

Re:Crome

[ArchieBunker]

I keep hearing this. Where are the packet dumps showing what info is collected?

meh, grammer is way to bad

http://www.urbandictionary.com/define.php?term=Way+Too

waaaaay too pregnant

[Pseudonymous+Powers]

Both versions collected waaaaay to much information that has nothing to do with analytics...

This is a meaningless statement, mostly because "analytics" is always a just a weasel-word for "spying". The only acceptable amount is zero.

Re:waaaaay too pregnant

[vux984]

Not really.

If you run a grocery store and you put X on the left in one store, and on the right in another, and you record that it sells better when on the left, and then change all your stores, that's analytics too. Its not "spying", its not a weasel word for spying.

There are all kinds of ways one can do analytics without "spying". Hell, serving have your web visitors one ad, and half the other and seeing which has a better sales coversion rate, that's analytics too.

Re:waaaaay too pregnant

[Pseudonymous+Powers]

Yes, okay, fine, I misspoke: The word "analytics" can mean things other than spying. Just not in the context of web browsers that phone home. There is no God damn thing about my browsing habits I want the maker of my browser knowing. Not what, not where, not when, not how long, not how much, not what type. I guess I'm not too worried about them knowing I downloaded it, but then again, if I could conceal even that datum from them, I would.

hmmm....

Speaking of spyware.... Slashdot doesn't seem to concerned about people's privacy either.

Re:hmmm....

Bye.

Don't do viruses kids

From my perspective, viruses are the most evilest thing since Dial Up Internet Service. I have dealt with them in the past and had bad results from them. Especially if it involves trojans... they might look nice on the outside, but on the inside... they're retarded and disgusting...

Re:Frist Psot

Have a rice day.

Windows 10?

So the Baidu browser is a part of Windows 10?

Re:Windows 10?

[HexaByte]

No, Redmond knows much more about your computer already. The Chinese are just trying to catch up!

Re:Windows 10?

I read this and immediately thought of the Chinese spies from an 'American Dad' episode, ceaselessly asking for "launch codes".

Re:Crome

[HexaByte]

It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.

waaaaay to much leniency

timothy, do your job ffs. and by that I don't mean shill for your benefactors, I mean EDIT.

Re:waaaaay to much leniency

[U2xhc2hkb3QgU3Vja3M]

I noticed that, to.

Re:waaaaay to much leniency

Agreed, "waaaaay" has extra 'a's.

CAP === 'crowing'

Re:Crome

Well I guess someone from China needs to pop in here and give their opinion. Fact is though Baidu is a blight on the internet. They are not a search engine or other internet related "company", they are a Chinese government collection tool. In typical Chinese fashion, they steal and cheat instead of innovate.

Re:Yeah, that's telemetry, not analytics

Get with the times. To better serve our customers, it's necessary that we know what kind of hardware our software is used on. Our software, got that? Everybody does it.

I hope you're trolling.

Re:Crome

I've been asking for the same from the anti-Microsoft crowd about the Windows 10 packets, and all I've ever been given was a link to a hosts file with a section called "Windows 10 telemetry blocking."

CPU serial

WTF? How does a browser even get the serial number of the CPU?

Re:CPU serial

[mrchaotica]

The same way any other locally-executing program gets it? We're talking about the browser executable itself here, remember, not some web page executing in the Javascript sandbox.

Re:CPU serial

[tnk1]

I actually think they meant the ProcessorId, not the serial number.

In a Windows command prompt, type:

wmic cpu get ProcessorId

You can get it for RAM
wmic memorychip get serialnumber

This information and others are exposed in APIs and is available to whoever wants to use it.

There are similar capabilities in most OSes. They're actually useful informational commands to have, but certainly you don't want to just start throwing them around the Internet.

Re:CPU serial

There are similar capabilities in most OSes. They're actually useful informational commands to have, but certainly you don't want to just start throwing them around the Internet.

Why?

Give a specific example of how this is bad or harmful.

Re:CPU serial

[valdezjuan]

Specifically within wmic and the statement: 'you don't want to just start throwing them around the internet" there are a few specific scenarios and these are just some of the issues.

* accepting wmic from the internet (be it through an open port/MiTM/code injection/whatever) can allow the installing/removing/disabling of the windows firewall, patches, services, etc. - That qualifies as both bad and harmful.

* passing the output of wmic commands on the internet can allow specific targeting of your machine based on the data given and by specific I mean, knowing exactly which payload will bypass that version of EMET or ASLR. Granted, this is a bit 'general' but if I know the specific lock you are using and its serial number, I can start working out which of the possible available keys are required.

Just some things off the top of my head.

Big deal! So does MS Windows!, Ubuntu, Google,etc!

Get over it. You don't like it don't use it or circumvent it!

Baidu is relentless

[JustAnotherOldGuy]

The Baidu search spider is relentless...I see thousands of connections and scans from it every day on many of the sites I own and admin. The logs often contain literally tens of thousands of lines of Baidu requests, and the spider completely ignores the robots.txt file. For example, this usually does not work:

#Baiduspider
User-agent: Baiduspider
Disallow: / ...and neither do most of the other snippets and directives that are supposed to block the Baidu search spider, because it often misrepresents itself.

The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs. It's almost easier just to block all of China.

Re:Baidu is relentless

It's almost easier just to block all of China.

I was going to make a joke about what a devilishly clever scheme this is - to make the rest of the world implement a great firewall of China, rather than having to do it themselves... but now I'm not completely positive anymore that it would not contain a grain of truth...

Re:Baidu is relentless

It's almost easier just to block all of China.

I keep hearing Donald Trump's voice in my head as I read certain things. "CHAY-nuh". Kind of funny.

Trump/Fallon '16!

Re:Baidu is relentless

[QuietLagoon]

...The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs....

I also have been assaulted by the baiduBot relentless search patterns.

.
It is one of the very, very few search bots that do not follow robots.txt directives. (bing and yandex being the other two that I've seen)

Re:Baidu is relentless

Try:
  Baiduspider

Yònghù dàil: Baiduspider
jìnzh:

Re:Baidu is relentless

[sehlat]

So who wrote the spider? Baidu or 3PLA?

Re: Baidu is relentless

Our company blocks all traffic except for the US to our servers. It's a local market, and this greatly reduces our surface of attack.

Re:Frist Psot

Have a lice day.

Re:Crome

[Alypius]

Thought they got rid of that motto?

it can't be worse than the redirects

i'm getting on chrome and chromium.

Re:Crome

[tnk1]

It is definitely different in the scope of what is being collected. It is important to make a distinction even if they are both intrusive to some degree.

Who needs a new browser?

Why bother?

Virus? No.

This is spyware, not virus.

When should timothy have been fired?

Waaaaay long ago

Re:When should timothy have been fired?

he's alright.... let him be

Re:Crome

[nnull]

You can use Baidu to actually search for plans all over China that was stolen over the years. It's all out in the open. Proprietary stuff, code, designs, it makes me laugh.

Re:Crome

[U2xhc2hkb3QgU3Vja3M]

They just got rid of the "no".

robots.txt

[ArchieBunker]

This whole idea of robots.txt is dumb. Its based on the honor system. Imagine if the rest of internet security worked like that. Plenty of awesome sites have gone away and not been archived because of robots.txt.

Re:robots.txt

[Gr8Apes]

it would be better to have the robots.txt file delivered and then act upon it yourself for those known to be bad actors, like a proxy. Think of the wonderful results you could have search engines display if they ignored your robots.txt. Sometimes the best defense is a good offense.

Re:robots.txt

robots.txt isn't a security measure, and anyone trying to use it that way is doing it wrong. It came about due to poorly programmed crawlers inadvertently DoS'ing sites hosted on meager hardware. Legit crawlers have no real reason not to play nice: their whole intent is to spider the site, not hammer it beyond capacity and get a bunch of error pages in their index.

Having a robots.txt file is like having a Terms of Service. Some people will never read it, some will read it and willfully break it, but most people cooperate. When you find someone who doesn't, you can point at the document as justification for firewalling them out.

Where is "much"?

And how does anyone follow the "waaaaay" there?

In a related question, does timothy own a dictionary?

Re:Frist Psot

There is no such thing as Frist Psot or Nice Day. They are merely social constructs.

Trojan not virus

Don't you guys know the difference between a Trojan and a virus?

Re: Yeah, that's telemetry, not analytics

He's not.

Every single company does this to an extent. Some aren't upfront about it like Google and Microsoft.

OK, It collects information

Of the user and the user machine and the user software.
So aren't the users mostly in China?
Or are some upstarts trying out the Baidu thingie in the rest of the world?
BTW - how easy is it to totally block China? ( and MS, Apple, FB, Google, Yahoo.....)

So the web browser is a virus/spyware....

Re:Crome

[buck-yar]

Found this on reddit:

've seen theres a lot of speculation on whether the observed network connections from Windows 10 with privacy options on are actually spying or not, and figured some actual evidence would be in order.

Anyone can recreate this for themselves:

        Fresh install of Windows 10.
        Set all privacy options to off, disable cortana, disable web search
        Ensure all updates are done. Close all programs.
        Install Fiddler, and enable HTTPS sniffing. (If you use wireshark, you wont be able to view the HTTPS)
        Press stream in fiddler.
        Click the windows search bar, type any letter, watch the HTTPS session to bing.com appear.

Im still trying to figure out exactly what it is that it is transmitting, but its for sure sending a user-agent string that identifies itself as Cortana.

Some observed behaviors:

        Clicking on a link from an application (in this case, a download link from within Fiddler) submits the URL you are visiting to urs.microsoft.com.
        Opening applications-- even with SmartScreen disabled-- opens sessions to apprep.smartscreen.microsoft.com and, among other things, submits the hash of the application. EDIT: Apparently you must also disable smartscreen in edge. Even so, it will initiate a connection to w.apprep.smartscreen.microsoft.com
        Typing anything into the search bar will, regardless of settings, initiate an HTTPS session to www.bing.com. It will transmit a cookie, though so far I have not seen anything in there that looks like keystroke monitoring, as the only thing that appears to change between attempts is an HV section of the cookie. It appears to be downloading javascript, and submitting identifying data (screen resolution, install date, SID). The URL it uses is https://www.bing.com/manifest/...
        Opening the settings app and going into account options sometimes opens a session to public-family.api.account.microsoft.com:443. I suppose this would be expected.

fixed it for you

[elgholm]

", as requested by the Chinese government." --- There, I fixed it for you, since you accidentally stopped your last sentence too soon.

Re:Crome

Found this on reddit:

've seen theres a lot of speculation on whether the observed network connections from Windows 10 with privacy options on are actually spying or not, and figured some actual evidence would be in order.

Anyone can recreate this for themselves:

        Fresh install of Windows 10.

        Set all privacy options to off, disable cortana, disable web search

        Ensure all updates are done. Close all programs.

        Install Fiddler, and enable HTTPS sniffing. (If you use wireshark, you wont be able to view the HTTPS)

        Press stream in fiddler.

        Click the windows search bar, type any letter, watch the HTTPS session to bing.com appear.

Im still trying to figure out exactly what it is that it is transmitting, but its for sure sending a user-agent string that identifies itself as Cortana.

Some observed behaviors:

        Clicking on a link from an application (in this case, a download link from within Fiddler) submits the URL you are visiting to urs.microsoft.com.

        Opening applications-- even with SmartScreen disabled-- opens sessions to apprep.smartscreen.microsoft.com and, among other things, submits the hash of the application. EDIT: Apparently you must also disable smartscreen in edge. Even so, it will initiate a connection to w.apprep.smartscreen.microsoft.com

        Typing anything into the search bar will, regardless of settings, initiate an HTTPS session to www.bing.com. It will transmit a cookie, though so far I have not seen anything in there that looks like keystroke monitoring, as the only thing that appears to change between attempts is an HV section of the cookie. It appears to be downloading javascript, and submitting identifying data (screen resolution, install date, SID). The URL it uses is https://www.bing.com/manifest/...

        Opening the settings app and going into account options sometimes opens a session to public-family.api.account.microsoft.com:443. I suppose this would be expected.

Looks like I have some more firewall rules to add.

Re:Yeah, that's telemetry, not analytics

Trolling? What exactly do you find objectionable about that comment?

Telemetry, not analytics? This kind of functionality is indeed called telemetry when it is embedded in applications and not in web sites.

Get with the times? This ties in with both the "telemetry, not analytics" point and the "everybody does it" aspect. Things have changed. The outrage about an application collecting data, even though I completely understand it, is indeed anachronistic.

To better serve our customers? That is the same kind of bullshit that literally everybody else uses to justify why their software phones home (another anachronism). See Valve's hardware stats for one example, but don't kid yourself. It is everywhere. Note that I left open who "our customers" are.

Our software? Just for kicks, read a couple of EULAs. You don't own commercial software. You are merely granted temporary usage rights.

Everybody does it? Yes, that's offensive, but it's also true. None of the big ones, not even well known open source projects, can throw the first stone at Baidu. They might point out that Baidu takes too much, but in principle they're all doing it.

Sounds about right...

They are in good company.
Windows 10 is tracking you. (Link)
Google Chrome is tracking you (Link), well actually recording you, but still...
Facebook tracks the hell out of you (Link), logged in or not (Link)

Hmm

"Both versions collected waaaaay to much information that has nothing to do with analytics..."

Maybe someone could use Baidu to search for the difference between "to" and "too?"

Re:Crome

[LichtSpektren]

It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.

Chromium is open source, so you know exactly what's being transmitted, and you can audit it yourself if you like. Baidu is a black box and you have no idea what's coming or going.

Hey! Stop that!

[Opportunist]

That's the OS' business!

In China you don't surf your browser....

your browser surfs YOU

Re:Crome

[TheDarkMaster]

I think the most correct action to take is to not install Windows 10.

Remember this, people

[argStyopa]

While I'd be the LAST one to exonerate the misdeeds of my own United States...for all those decrying the "US controls the internet" and all the painting of the US as some sort of malignant capitalist force in the world generally: understand that your actual choice ISN'T the US vs whatever utopia you have cooked up in your head where governments aren't power-hungry monsters and commerce is run by the pleasant hippy guy down at your local co-op who gives you free snacks and coffee "for whatever you feel is fair, dude".

No, the ACTUAL choices in the world we live in are:
- the US
- China
- maybe Russia ...as your superpowers.

As much as the US is deeply flawed in many ways, it's still orders of magnitude more benign than the alternatives.

Re:Remember this, people

I for one welcome our American overlords!

Re:Remember this, people

[mjwx]

While I'd be the LAST one to exonerate the misdeeds of my own United States...for all those decrying the "US controls the internet" and all the painting of the US as some sort of malignant capitalist force in the world generally: understand that your actual choice ISN'T the US vs whatever utopia you have cooked up in your head where governments aren't power-hungry monsters and commerce is run by the pleasant hippy guy down at your local co-op who gives you free snacks and coffee "for whatever you feel is fair, dude".

No, the ACTUAL choices in the world we live in are:
- the US
- China
- maybe Russia ...as your superpowers.

As much as the US is deeply flawed in many ways, it's still orders of magnitude more benign than the alternatives.

Swap Russia for the EU.

Whilst they're slow to act, they are a force to reckon with once roused. They are the single largest economic bloc and are definitely a super power militarily.

Russia has lost superpower status and has fallen in to the BRIC group of minor powers (Brazil, Russia, India, China).

Re:Remember this, people

No, it's not.
The option is mostly between one superpower which no one can take accountable, and many powers less super that give leeway for action - and eventually one day freedom.

China can do much to some people in the world, and part of what it does is evil, but it can't do anything to me nor most of slashdot user - in particular it can't ban encryption at a worldwide level.

Re:Remember this, people

[argStyopa]

The EU a "super power" militarily? Bwahaha.

First, you need to have a military: They couldn't even bomb some Libyan bandits without running out of bombs and needing US air control and mid-air refueling. 5 of the 28 members of NATO even bother to meet their treaty-obligated minimum defense budgets, much less anything more. Most EU country militaries are barely more than ill-concealed jobs programs, and are populated a few patriots but mostly by the hopeless dregs that for some reason can't simply do nothing.
Yes, they (UK...assuming it's still EU this time next year, and France) have nukes; then again, so does North Korea. That doesn't make DPRK a superpower, either.

Second: you have to have the will to actually USE the military. Yes, some few EU states sent token forces to Afghanistan, usually with engagement orders that would be appropriate to kindergarten, not a war zone. Most EU countries are terrified of conflict, afraid to send soldiers into harm's way. For most EU states, they're more likely to wet their pants than use the military forcefully to exert policy

Finally, we'll simply assume for this discussion that the EU actually continues to exist, and doesn't shatter into near-insignificance in the next several years.

I don't disagree with you about Russia though, they're barely more than a 3rd-world state but Putin's aggressiveness and opportunism moves them up a little. But no, you're right, it's really US or China.

My entire point was to illustrate that for all its problems, compared to a Pax Sinaticus, the Pax Americana is pretty benign.

Re:Crome

It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.

Don't Be Evil. FTFY.

Re:Crome

It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.

It's different in that I'm not mandated by my government to use Chrome, and they aren't going to come throw me in jail for using a different browser or interfering with the data collection. Assuming the data collection is even remotely on par, which it isn't.

Re:Crome

> Found this on reddit:

not sure why you didn't link the original.

https://www.reddit.com/r/Windo...

Re:Crome

[sehlat]

No. They got rid of it and replaced it with "Do as we say, not as we do."

So it's exactly like Chrome and Edge

but since it's Chinese, let's blow it all out of proportion.

Re:Frist Psot

So what's the big deal? Windows 10 collects telemetry too and privacy is a thing of the past. If you are OK with Windows 10, then you cannot complain about this.

Re:Crome FORGET CHROME!

How is this different from Microsoft? In what way is being spied by a corporation better/worse than being spied by another?

Getting hardware details? I thought that was the idea behind that Genuine authentication... I really don't see any difference.

Soon enough

Mozilla Firefox will be inspired by this browser and roll up yet another forced donotwant update with similar features because people keep unchecking that damn Send Crash Report box!!!!

Code signatures vs MiTM

Lol. Avoiding MiTM doesn't require code signing, it requires encrypted connections (typically with certificate checks, but not always).

Re:Crome

Microsoft encrypts everything that it steals from you, not to protect you, but the prevent you from knowing what they are stealing.

Grammar Nazi says...

[slashdotwannabe]

Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models,

*too