Baidu Browser Acts Like a Mildly Tempered Infostealer Virus

An anonymous reader writes: The Baidu Web browser for Windows and Android exhibits behavior that could easily be categorized by a security researcher as an infostealer virus because the browser collects information on its users, and then sends it to Baidu's home servers.

Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models, CPU serials, and personal browsing history. The browser collected and sent this information on startup, when the user started typing content in his address bar, and on any page view. Some of this was sent via unencrypted connections. Additionally, the browser update did not use code signatures, meaning you could man-in-the-middle the connection and send anything you'd like to the browser, from Pokemon games to banking trojans, and have it installed locally.

Re:Crome

[ArchieBunker]

I keep hearing this. Where are the packet dumps showing what info is collected?

waaaaay to much leniency

timothy, do your job ffs. and by that I don't mean shill for your benefactors, I mean EDIT.

Baidu is relentless

[JustAnotherOldGuy]

The Baidu search spider is relentless...I see thousands of connections and scans from it every day on many of the sites I own and admin. The logs often contain literally tens of thousands of lines of Baidu requests, and the spider completely ignores the robots.txt file. For example, this usually does not work:

#Baiduspider
User-agent: Baiduspider
Disallow: / ...and neither do most of the other snippets and directives that are supposed to block the Baidu search spider, because it often misrepresents itself.

The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs. It's almost easier just to block all of China.

Re:Crome

[buck-yar]

Found this on reddit:

've seen theres a lot of speculation on whether the observed network connections from Windows 10 with privacy options on are actually spying or not, and figured some actual evidence would be in order.

Anyone can recreate this for themselves:

        Fresh install of Windows 10.
        Set all privacy options to off, disable cortana, disable web search
        Ensure all updates are done. Close all programs.
        Install Fiddler, and enable HTTPS sniffing. (If you use wireshark, you wont be able to view the HTTPS)
        Press stream in fiddler.
        Click the windows search bar, type any letter, watch the HTTPS session to bing.com appear.

Im still trying to figure out exactly what it is that it is transmitting, but its for sure sending a user-agent string that identifies itself as Cortana.

Some observed behaviors:

        Clicking on a link from an application (in this case, a download link from within Fiddler) submits the URL you are visiting to urs.microsoft.com.
        Opening applications-- even with SmartScreen disabled-- opens sessions to apprep.smartscreen.microsoft.com and, among other things, submits the hash of the application. EDIT: Apparently you must also disable smartscreen in edge. Even so, it will initiate a connection to w.apprep.smartscreen.microsoft.com
        Typing anything into the search bar will, regardless of settings, initiate an HTTPS session to www.bing.com. It will transmit a cookie, though so far I have not seen anything in there that looks like keystroke monitoring, as the only thing that appears to change between attempts is an HV section of the cookie. It appears to be downloading javascript, and submitting identifying data (screen resolution, install date, SID). The URL it uses is https://www.bing.com/manifest/...
        Opening the settings app and going into account options sometimes opens a session to public-family.api.account.microsoft.com:443. I suppose this would be expected.