Slashdot Mirror

← Back to Stories (view on slashdot.org)

Baidu Browser Acts Like a Mildly Tempered Infostealer Virus

Posted by timothy on from the ever-so-gentle dept.

An anonymous reader writes: The Baidu Web browser for Windows and Android exhibits behavior that could easily be categorized by a security researcher as an infostealer virus because the browser collects information on its users, and then sends it to Baidu's home servers.

Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models, CPU serials, and personal browsing history. The browser collected and sent this information on startup, when the user started typing content in his address bar, and on any page view. Some of this was sent via unencrypted connections. Additionally, the browser update did not use code signatures, meaning you could man-in-the-middle the connection and send anything you'd like to the browser, from Pokemon games to banking trojans, and have it installed locally.

47 of 97 comments (clear)

  1. All 'telemetry' is SPYING. by Anonymous Coward · · Score: 4, Insightful

    All 'telemetry' is SPYING.

  2. China. by Anonymous Coward · · Score: 4, Insightful

    What else would you expect?

    1. Re:China. by Anonymous Coward · · Score: 2, Insightful

      microsoft, google, and facebook are u.s. companies... datamining users for fun and profit and for government goodwill is not country-specific.

    2. Re:China. by DahGhostfacedFiddlah · · Score: 2

      With the number of hacks coming from China, I'd at least expect them to understand the value of signing their code.

      --
      Last post!
    3. Re:China. by mjwx · · Score: 1

      microsoft, google, and facebook are u.s. companies... datamining users for fun and profit and for government goodwill is not country-specific.

      Yes, but Facebook, Google, Apple and Microsoft are all Companies, therefore any action they take is doubleplus(R) good(TM). Baidu is partially state owned by the Chinese, therefore that is Baaaaad.

      It seems like you're starting to de-capitalise comrade, report to the neared Rand centre for re-education citizen.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  3. Re:Crome by ArchieBunker · · Score: 4, Interesting

    I keep hearing this. Where are the packet dumps showing what info is collected?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  4. waaaaay too pregnant by Pseudonymous+Powers · · Score: 3, Insightful

    Both versions collected waaaaay to much information that has nothing to do with analytics...

    This is a meaningless statement, mostly because "analytics" is always a just a weasel-word for "spying". The only acceptable amount is zero.

    1. Re:waaaaay too pregnant by vux984 · · Score: 1

      Not really.

      If you run a grocery store and you put X on the left in one store, and on the right in another, and you record that it sells better when on the left, and then change all your stores, that's analytics too. Its not "spying", its not a weasel word for spying.

      There are all kinds of ways one can do analytics without "spying". Hell, serving have your web visitors one ad, and half the other and seeing which has a better sales coversion rate, that's analytics too.

    2. Re:waaaaay too pregnant by Pseudonymous+Powers · · Score: 1

      Yes, okay, fine, I misspoke: The word "analytics" can mean things other than spying. Just not in the context of web browsers that phone home. There is no God damn thing about my browsing habits I want the maker of my browser knowing. Not what, not where, not when, not how long, not how much, not what type. I guess I'm not too worried about them knowing I downloaded it, but then again, if I could conceal even that datum from them, I would.

  5. Re:Frist Psot by Anonymous Coward · · Score: 1

    Have a rice day.

  6. Re:Crome by HexaByte · · Score: 1

    It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.

    --
    HexaByte - he's a square and a half!
  7. waaaaay to much leniency by Anonymous Coward · · Score: 2, Interesting

    timothy, do your job ffs. and by that I don't mean shill for your benefactors, I mean EDIT.

    1. Re:waaaaay to much leniency by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I noticed that, to.

  8. Baidu is relentless by JustAnotherOldGuy · · Score: 5, Interesting

    The Baidu search spider is relentless...I see thousands of connections and scans from it every day on many of the sites I own and admin. The logs often contain literally tens of thousands of lines of Baidu requests, and the spider completely ignores the robots.txt file. For example, this usually does not work:

    #Baiduspider
    User-agent: Baiduspider
    Disallow: /     ...and neither do most of the other snippets and directives that are supposed to block the Baidu search spider, because it often misrepresents itself.

    The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs. It's almost easier just to block all of China.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Baidu is relentless by Anonymous Coward · · Score: 1

      It's almost easier just to block all of China.

      I was going to make a joke about what a devilishly clever scheme this is - to make the rest of the world implement a great firewall of China, rather than having to do it themselves... but now I'm not completely positive anymore that it would not contain a grain of truth...

    2. Re:Baidu is relentless by QuietLagoon · · Score: 1

      ...The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs....

      I also have been assaulted by the baiduBot relentless search patterns.

      .
      It is one of the very, very few search bots that do not follow robots.txt directives. (bing and yandex being the other two that I've seen)

    3. Re:Baidu is relentless by sehlat · · Score: 1

      So who wrote the spider? Baidu or 3PLA?

  9. Re:Frist Psot by Anonymous Coward · · Score: 1

    Have a lice day.

  10. Re:Crome by Alypius · · Score: 1

    Thought they got rid of that motto?

  11. Re:Crome by tnk1 · · Score: 1

    It is definitely different in the scope of what is being collected. It is important to make a distinction even if they are both intrusive to some degree.

  12. Re:CPU serial by mrchaotica · · Score: 1

    The same way any other locally-executing program gets it? We're talking about the browser executable itself here, remember, not some web page executing in the Javascript sandbox.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  13. Re:True to life by tnk1 · · Score: 2

    Yes. You should not instantly mistrust it because it sounds Asian. That would be wrong.

    You should mistrust it because this is Baidu you're talking about here.

  14. Re:True to life by Anonymous Coward · · Score: 2, Insightful

    Baidu is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

    As a Chinese "Google," it also 100% caves into any and all government requests for censorship, page removal, data, whatever. You know there's a reason why there is no google.cn, right? And why half the time Google and all its services are blocked (not sure of the current state--it tends to go back and forth) in China.

  15. Re:Crome by nnull · · Score: 1

    You can use Baidu to actually search for plans all over China that was stolen over the years. It's all out in the open. Proprietary stuff, code, designs, it makes me laugh.

  16. Re:CPU serial by tnk1 · · Score: 1

    I actually think they meant the ProcessorId, not the serial number.

    In a Windows command prompt, type:

    wmic cpu get ProcessorId

    You can get it for RAM
    wmic memorychip get serialnumber

    This information and others are exposed in APIs and is available to whoever wants to use it.

    There are similar capabilities in most OSes. They're actually useful informational commands to have, but certainly you don't want to just start throwing them around the Internet.

  17. Re:Crome by U2xhc2hkb3QgU3Vja3M · · Score: 2

    They just got rid of the "no".

  18. robots.txt by ArchieBunker · · Score: 1

    This whole idea of robots.txt is dumb. Its based on the honor system. Imagine if the rest of internet security worked like that. Plenty of awesome sites have gone away and not been archived because of robots.txt.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:robots.txt by Gr8Apes · · Score: 1

      it would be better to have the robots.txt file delivered and then act upon it yourself for those known to be bad actors, like a proxy. Think of the wonderful results you could have search engines display if they ignored your robots.txt. Sometimes the best defense is a good offense.

      --
      The cesspool just got a check and balance.
  19. Re:Windows 10? by HexaByte · · Score: 1

    No, Redmond knows much more about your computer already. The Chinese are just trying to catch up!

    --
    HexaByte - he's a square and a half!
  20. Re:True to life by wardrich86 · · Score: 1

    I could be mistaking it for another Chinese company, but I believe this is not the first time Baidu has come under fire for phoning home excessively and with unrelated data.

  21. Re:True to life by Flavianoep · · Score: 1

    Baidu is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

    Who cares about the Alexa rank of site? Yahoo.com is also one of the five most visited websites in the world and people here keep saying it's not relevant anymore.

    --
    Linux is for people who don't mind RTFM.
  22. Re:Crome by buck-yar · · Score: 5, Interesting

    Found this on reddit:

    've seen theres a lot of speculation on whether the observed network connections from Windows 10 with privacy options on are actually spying or not, and figured some actual evidence would be in order.

    Anyone can recreate this for themselves:

            Fresh install of Windows 10.
            Set all privacy options to off, disable cortana, disable web search
            Ensure all updates are done. Close all programs.
            Install Fiddler, and enable HTTPS sniffing. (If you use wireshark, you wont be able to view the HTTPS)
            Press stream in fiddler.
            Click the windows search bar, type any letter, watch the HTTPS session to bing.com appear.

    Im still trying to figure out exactly what it is that it is transmitting, but its for sure sending a user-agent string that identifies itself as Cortana.

    Some observed behaviors:

            Clicking on a link from an application (in this case, a download link from within Fiddler) submits the URL you are visiting to urs.microsoft.com.
            Opening applications-- even with SmartScreen disabled-- opens sessions to apprep.smartscreen.microsoft.com and, among other things, submits the hash of the application. EDIT: Apparently you must also disable smartscreen in edge. Even so, it will initiate a connection to w.apprep.smartscreen.microsoft.com
            Typing anything into the search bar will, regardless of settings, initiate an HTTPS session to www.bing.com. It will transmit a cookie, though so far I have not seen anything in there that looks like keystroke monitoring, as the only thing that appears to change between attempts is an HV section of the cookie. It appears to be downloading javascript, and submitting identifying data (screen resolution, install date, SID). The URL it uses is https://www.bing.com/manifest/...
            Opening the settings app and going into account options sometimes opens a session to public-family.api.account.microsoft.com:443. I suppose this would be expected.

  23. fixed it for you by elgholm · · Score: 1

    ", as requested by the Chinese government." --- There, I fixed it for you, since you accidentally stopped your last sentence too soon.

  24. Re:True to life by Anonymous Coward · · Score: 1

    Baidu is the equivalent of Google (which is blocked in China but wasn't that popular to begin with) for 1.3 billion Chinese. It's the first place they go to search. Like Google, there are alternatives. When my phone broke in China and I had to buy a new Android phone, it came (like most phones in the Chinese market) with Baidu everything -- Baidu app store, Baidu browser default, etc. Remember that Google (including Google play) is blocked, so these are the default Android apps. In other words, it has a pretty whopping huge installed base. I guess by default I just assumed that the Chinese government could easily acquire any information on that phone, so I just didn't store all that much. Not that it's really that different from being spied on by Google/NSA, but one gets the feeling that they sometimes act more directly on the information they collect.

  25. Re:Crome by LichtSpektren · · Score: 2

    It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.

    Chromium is open source, so you know exactly what's being transmitted, and you can audit it yourself if you like. Baidu is a black box and you have no idea what's coming or going.

  26. Re:CPU serial by valdezjuan · · Score: 1

    Specifically within wmic and the statement: 'you don't want to just start throwing them around the internet" there are a few specific scenarios and these are just some of the issues.

    * accepting wmic from the internet (be it through an open port/MiTM/code injection/whatever) can allow the installing/removing/disabling of the windows firewall, patches, services, etc. - That qualifies as both bad and harmful.

    * passing the output of wmic commands on the internet can allow specific targeting of your machine based on the data given and by specific I mean, knowing exactly which payload will bypass that version of EMET or ASLR. Granted, this is a bit 'general' but if I know the specific lock you are using and its serial number, I can start working out which of the possible available keys are required.

    Just some things off the top of my head.

  27. Hey! Stop that! by Opportunist · · Score: 1

    That's the OS' business!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  28. Re:Crome by TheDarkMaster · · Score: 5, Insightful

    I think the most correct action to take is to not install Windows 10.

    --
    Religion: The greatest weapon of mass destruction of all time
  29. Re:True to life by softnewsit · · Score: 1

    By the way Google got forced out of China, that company is 101% in cahoots with the government.

    --
    Go away!
  30. Remember this, people by argStyopa · · Score: 2

    While I'd be the LAST one to exonerate the misdeeds of my own United States...for all those decrying the "US controls the internet" and all the painting of the US as some sort of malignant capitalist force in the world generally: understand that your actual choice ISN'T the US vs whatever utopia you have cooked up in your head where governments aren't power-hungry monsters and commerce is run by the pleasant hippy guy down at your local co-op who gives you free snacks and coffee "for whatever you feel is fair, dude".

    No, the ACTUAL choices in the world we live in are:
    - the US
    - China
    - maybe Russia ...as your superpowers.

    As much as the US is deeply flawed in many ways, it's still orders of magnitude more benign than the alternatives.

    --
    -Styopa
    1. Re:Remember this, people by mjwx · · Score: 1

      While I'd be the LAST one to exonerate the misdeeds of my own United States...for all those decrying the "US controls the internet" and all the painting of the US as some sort of malignant capitalist force in the world generally: understand that your actual choice ISN'T the US vs whatever utopia you have cooked up in your head where governments aren't power-hungry monsters and commerce is run by the pleasant hippy guy down at your local co-op who gives you free snacks and coffee "for whatever you feel is fair, dude".

      No, the ACTUAL choices in the world we live in are:
      - the US
      - China
      - maybe Russia ...as your superpowers.

      As much as the US is deeply flawed in many ways, it's still orders of magnitude more benign than the alternatives.

      Swap Russia for the EU.

      Whilst they're slow to act, they are a force to reckon with once roused. They are the single largest economic bloc and are definitely a super power militarily.

      Russia has lost superpower status and has fallen in to the BRIC group of minor powers (Brazil, Russia, India, China).

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    2. Re:Remember this, people by argStyopa · · Score: 1

      The EU a "super power" militarily? Bwahaha.

      First, you need to have a military: They couldn't even bomb some Libyan bandits without running out of bombs and needing US air control and mid-air refueling. 5 of the 28 members of NATO even bother to meet their treaty-obligated minimum defense budgets, much less anything more. Most EU country militaries are barely more than ill-concealed jobs programs, and are populated a few patriots but mostly by the hopeless dregs that for some reason can't simply do nothing.
      Yes, they (UK...assuming it's still EU this time next year, and France) have nukes; then again, so does North Korea. That doesn't make DPRK a superpower, either.

      Second: you have to have the will to actually USE the military. Yes, some few EU states sent token forces to Afghanistan, usually with engagement orders that would be appropriate to kindergarten, not a war zone. Most EU countries are terrified of conflict, afraid to send soldiers into harm's way. For most EU states, they're more likely to wet their pants than use the military forcefully to exert policy

      Finally, we'll simply assume for this discussion that the EU actually continues to exist, and doesn't shatter into near-insignificance in the next several years.

      I don't disagree with you about Russia though, they're barely more than a 3rd-world state but Putin's aggressiveness and opportunism moves them up a little. But no, you're right, it's really US or China.

      My entire point was to illustrate that for all its problems, compared to a Pax Sinaticus, the Pax Americana is pretty benign.

      --
      -Styopa
  31. Re:True to life by Anonymous Coward · · Score: 1

    According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?

    There are 1.3 billion people in China, where google is banned and blocked, so I'm not sure why you're surprised that their government's replacement is one of the most heavily visited on the planet. Or why you'd be surprised that it's heavily monitored, or why you'd be surprised that the App for it does everything it can to suck as much data as it can on anyone who uses it.

  32. Re:Crome by sehlat · · Score: 1

    No. They got rid of it and replaced it with "Do as we say, not as we do."

  33. Re:True to life by barbariccow · · Score: 1

    yahooooooooooooooooooooooooooooooo toolbarrrrrr

  34. Grammar Nazi says... by slashdotwannabe · · Score: 1

    Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models,

    *too

    --
    This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
  35. Re:True to life by allo · · Score: 1

    It's just wrong, yahoo is still the favourite search engine for many, even when they start by typing yahoo in their google searchtoolbar.