Chinese QQ Browser Caught Sending User Data To Its Servers

← Back to Stories (view on slashdot.org)

Chinese QQ Browser Caught Sending User Data To Its Servers

Posted by msmash on Tuesday March 29, 2016 @02:40AM from the something-smells-fishy dept.

An anonymous reader writes: A report from the Citizen Lab at the University of Toronto reveals that the popular QQ Browser is collecting sensitive user information and sending it in an insecure manner to its servers. The Android version is collecting data such as the user's search terms, browsing history, nearby Wi-Fi networks, and the user's device IMSI and IMEI codes. For the Windows version of QQ Browser, the app was caught collecting data such as the user's browsing history, hard drive serial number, MAC address, Windows hostname, and Windows user security identifier. All of this is sent unencrypted, or with a weak encryption, to Tencent's servers, QQ Browser's manufacturer. Additionally, the update process is flawed and delivered in an insecure manner that allows others to manipulate upgrade patches with malicious software. This is the third browser caught exhibiting this behavior after UC Browser and Baidu Browser.

68 comments

Min score:

Reason:

Sort:

Chinese browser leaks data? by Frosty+Piss · 2016-03-29 02:40 · Score: 5, Insightful

I'm shocked! Shocked, I tell you!

--
If you want news from today, you have to come back tomorrow.
1. Re:Chinese browser leaks data? by phishybongwaters · 2016-03-29 02:42 · Score: 1
  
  Couldn't mod this up as I don't have any points, but you totally stole my comment and opinion on this one.
2. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-29 02:47 · Score: 0
  
  Almost as shocked as when I realized there are people who exist that thought the iPhone COULDN'T be cracked by the letter agencies.
  If they can't break into one of the most popular models of cellphones worldwide they're not doing their job, the FBI just wanted a court precedent for what they were already doing, illegally. Hell, at least the Chinese government are up front about how ridiculously corrupt they are, no false pretenses.
3. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-29 02:57 · Score: 0
  
  FBI just wanted a court precedent for what they were already doing, illegally.
  
  Close. IMO they wanted to make Apple develop a tool to crack one phone. Then make them crack a dozen. Then a hundred. Then eventually Apple would hand over a generalized iOS-cracking tool to the FBI just to get rid of the workload of constantly cracking seized iPhones. Then a year or three later we would be back to the bad old days of feature phones where every police department had a cheap little black box that would snarf the address book, call log, text messages, etc. from most phones, and they would do it as a routine part of booking.
4. Re:Chinese browser leaks data? by JustAnotherOldGuy · 2016-03-29 02:59 · Score: 1
  
  I'm shocked! Shocked, I tell you!
  Beat me to it.
  Yes, this certainly is shocking news, who could have seen this coming?
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
5. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-29 03:12 · Score: 1
  
  I had a Chinese browser once.
  Half an hour later I wanted another one.
6. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-29 03:13 · Score: 0
  
  I'm shocked!
  Perhaps an electrical problem?
7. Re: Chinese browser leaks data? by Anonymous Coward · 2016-03-29 03:14 · Score: 0
  
  Exactly. The Chinese are not respectful of their peoples' rights to privacy, or to knowledge/information. It's bad enough that their safety is compromized. Many governments are like this, but the CCP stands out. The US populace needs to keep a firm hand on its government to prevent further decline in that direction.
8. Re:Chinese browser leaks data? by tnk1 · 2016-03-29 03:21 · Score: 1
  
  I'm shocked! Shocked, I tell you!
  If only there was some gambling in that browser, it would be so much better.
9. Re:Chinese browser leaks data? by phishybongwaters · 2016-03-29 03:43 · Score: 1
  
  yes and no, we already knew they could do this, it's just a pain in the ass. What they wanted was a court order to force Apple to provide access to, or build, back doors into the phone bypassing encryption and lockscreen. That's what they wanted, to force apple into a new, vulnerable, firmware
10. Re: Chinese browser leaks data? by ShanghaiBill · 2016-03-29 04:02 · Score: 1
  
  It is not just the Chinese government. It is also part of Chinese culture. Chinese people have very different expectations of privacy. In China, people will walk into rooms without knocking, ask extremely personal questions, and stick their nose into other people's affairs far more than an American would. I once took my daughter to see a doctor in Shanghai, and the waiting area and the doctor were in the same room. There was a row of chairs, and as each patient was finished, everyone shifted over one seat. So when it was our turn, everyone else in the room sat there and watched and listened while the doctor examined my kid. This was actually very efficient, since there was a "bug" going around, and most people had the same problem. So when you reached the doctor, you already knew what your diagnosis and treatment were going to be. The appointment cost me about $2.
11. Re:Chinese browser leaks data? by Frosty+Piss · 2016-03-29 04:02 · Score: 1
  
  Almost as shocked as when I realized there are people who exist that thought the iPhone COULDN'T be cracked by the letter agencies.
  You are talking about an iPhone 4 , which is an older phone that does not use the same type of security and encryption as newer iPhones.
  
  --
  If you want news from today, you have to come back tomorrow.
12. Re: Chinese browser leaks data? by Anonymous Coward · 2016-03-29 04:50 · Score: 0
  
  So it's just like any other app on Play or Appstore?
13. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-29 06:41 · Score: 0
  
  Yes, how dare the Chinese beat the FBI to this kind of snooping.
  Mind you the FBI only uses "Freedom spying"
14. Re:Chinese browser leaks data? by eumoria · 2016-03-29 08:37 · Score: 1
  
  In other news: The sun rose today!
15. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-29 10:19 · Score: 0
  
  > Re:Chinese browser leaks data?
  Chinese and American browser leak data?
  There. FTFY.
  These articles claiming China does different things from the USA are shameless to the bone. Next step is saying "we do but everybody does it"...
16. Re:Chinese browser leaks data? by Anonymous Coward · 2016-03-30 04:14 · Score: 0
  
  "Your secret data, Sir."
  "Oh, thank you!"
  The next two lines, updated per the issue at hand.
17. Re: Chinese browser leaks data? by Anonymous Coward · 2016-04-01 02:32 · Score: 0
  
  You are talking about communist China. That shit wouldn't fly as much in free China
Please forgive me by Anonymous Coward · 2016-03-29 02:42 · Score: 5, Funny

"In Communist China, internet browses YOU!"
1. Re:Please forgive me by Zocalo · 2016-03-29 03:40 · Score: 1
  
  Also in Communist China, QQ Browser rage quits YOU!
  
  Seriously, was there a deliberate clue in the name or something?
  
  --
  UNIX? They're not even circumcised! Savages!
Chrome also does so? by Anonymous Coward · 2016-03-29 02:42 · Score: 0

So that we can sync the bookmarks and etc across different places?
1. Re:Chrome also does so? by phishybongwaters · 2016-03-29 02:47 · Score: 1
  
  I do not think chrome is syncing my fucking windows SID, but you know what? I never actually checked. so, for any app to sync my bookmarks, it needs my login to said app, then my bookmarks. so WTF is it doing sending :hard drive serial number, MAC address, Windows hostname, and Windows user security identifier.? My hard drive serial number? That helps "sync my bookmarks?" Come the fuck on man
2. Re:Chrome also does so? by Anonymous Coward · 2016-03-29 03:45 · Score: 1
  
  I'd imagine you are correct. However, as devil's advocate - here we go.
  
  Windows hostname - so that it can show you what tabs / sites you have had open on each device. Chrome also shows this. Also so it can show the machine name of any "suspicious" log on attempts.
  
  Windows user SID - many people share a computer. One logs off, the next logs on. So it may need more than hostname to sync the bookmarks for more than one person.
  
  HD Serial Number - yeah that one makes no sense. It isn't even useful information for the vendor as far as I can think of.
  
  MAC Address - perhaps this is so that your bookmark sync doesn't get screwed up if you change the name of your computer?
  
  Anyway, you are likely right, but it isn't hard to think of how some of this may indeed be needed.
3. Re:Chrome also does so? by Anonymous Coward · 2016-03-29 05:52 · Score: 0
  
  Which is why we need more websites to support simple browsers like lynx, then start WireShark before each browsing session...just to be sure!
  If only I could find a proper outlet to ground my tin-foil hat, I'd feel safe thinking freely.
4. Re:Chrome also does so? by crbowman · 2016-03-29 06:30 · Score: 1
  
  Forget about why it's sending the hard drive serial number. Why is windows (or any os) giving an app my hard drive serial number? What possible use could there be for that without some sort of security/privacy dialog?
5. Re:Chrome also does so? by Anonymous Coward · 2016-03-30 04:24 · Score: 0
  
  Christ, you are incredibly slow.
  At least since the advent of Windows 95, every single goddamned Windows bug that isn't a BSOD producer LEAKS YOUR DATA.
  The first big Win95 bug MS went public with, not many months after initial release, was that any Win95 user that connected across a network was COMPLETELY EXPOSED, BOTH THE DATA BEING TRANSFERRED AND THE SENDING MACHINE'S DISK. Anybody stupid, foolish, or naive enough to think that was a MISTAKE that somehow survived MS' [alleged] QA should voluntarily leave the gene pool.
  Old saying: once is accident, twice is coincidence, three times is enemy action. How many "passes" does MS get on its Windows OS family being almost completely insecure and impossible TO secure? All that's bad enough, but now we have all the user-NOT-controllable "phone home" feces 7/8/10 versions now pull.
  But, if you've got nothing to hide, you've got nothing to fear, right?
this is different from Goog or MS... how, again? by Anonymous Coward · 2016-03-29 02:49 · Score: 0

The Android version is collecting data such as the user's search terms, browsing history, nearby Wi-Fi networks, and the user's device IMSI and IMEI codes. ... Windows version of QQ Browser, the app was caught collecting data such as the user's browsing history, hard drive serial number, MAC address, Windows hostname, and Windows user security identifier

That sounds a terrible lot like the behaviour of both Google and Microsoft, which people seem to accept without a problem. How exactly is this any different, except whereas Google also tries to gather other things like the contents of your emails and your social contacts?

popular QQ Browser
"Popular". I don't think that means what they think it means. Thus far I have never seen this "QQ Browser" appear in a list of the most popular N browsers, even for some large values of N.
App caught apping by Anonymous Coward · 2016-03-29 02:53 · Score: 0

On a scale from 0 to very surprised, I'm at 0.
Popular? by xxxJonBoyxxx · 2016-03-29 02:55 · Score: 0

You say this is a "popular" browser, but who really runs a non-standard browser anyway? (I just haven't seen it.)
1. Re: Popular? by Anonymous Coward · 2016-03-29 03:16 · Score: 0
  
  The Chinese mostly.
2. Re:Popular? by jimbob6 · 2016-03-29 03:20 · Score: 2
  
  The worlds most popular beer is or Snowflake beer but you probably haven't heard of that either.
3. Re:Popular? by jimbob6 · 2016-03-29 03:22 · Score: 1
  
  Encoding screwed that post up. There's supposed to be a Chinese word in there that translates to "Snowflake beer".
4. Re:Popular? by Anonymous Coward · 2016-03-29 03:37 · Score: 0
  
  In English, it's called Snow Beer. Big brand in China. Not as good as Heineken or Tsing Tao, but better than Reeb. It's not hard to be the number on anything in the world if you get a significant population of China using it.
Just like another by Anonymous Coward · 2016-03-29 02:56 · Score: 1

Chrome does the same thing, when will it get a ./ article?
1. Re:Just like another by Anonymous Coward · 2016-03-29 03:03 · Score: 0
  
  It's anti-China propaganda even though software from other countries do the same thing. Who's paying for this mud-slinging?
2. Re:Just like another by Anonymous Coward · 2016-03-29 12:44 · Score: 0
  
  Just because other countries pull China's crap doesn't make it right for one second.
  That said, China is a particularly repressive regime, and the more this sort of thing gets exposed, the better.
Re:this is different from Goog or MS... how, again by FrankHaynes · 2016-03-29 02:56 · Score: 2

I've never even heard of the QQ browser, but my sentiments are along the same lines as yours.
When you live in the cloud, it's easier to get rained on.

--
slashdot: A failed experiment.
Re:this is different from Goog or MS... how, again by aix+tom · 2016-03-29 02:57 · Score: 1

That sounds a terrible lot like the behaviour of both Google and Microsoft, which people seem to accept without a problem. How exactly is this any different, except whereas Google also tries to gather other things like the contents of your emails and your social contacts?
To be fair, both Microsoft and Google will probably use better encryption while stealing your data, so that it is not discovered that easily.
You know what would really be shocking? by JustAnotherOldGuy · 2016-03-29 03:03 · Score: 5, Insightful

What would really be shocking is if it didn't send data back to some Chinese mothership somewhere.

--
Just cruising through this digital world at 33 1/3 rpm...
What next ? by Anonymous Coward · 2016-03-29 03:04 · Score: 0

American Google Chrome Caught Sending User Data To Its Servers !
It is your choice by Anonymous Coward · 2016-03-29 03:04 · Score: 0

When you buy a gadget and install apps you choose certain law enforcement authorities and spies.
Re:this is different from Goog or MS... how, again by Frosty+Piss · 2016-03-29 03:12 · Score: 1

That sounds a terrible lot like the behaviour of both Google and Microsoft, which people seem to accept without a problem.
Perhaps this is the problem:

...and sending it in an insecure manner to its servers.

--
If you want news from today, you have to come back tomorrow.
Re:Remember: Only apps can app apps! by Anonymous Coward · 2016-03-29 03:17 · Score: 0

Took the words right out of my mouth
Software freedom, not nationalism, is needed. by jbn-o · 2016-03-29 03:27 · Score: 4, Insightful

The real problem is nonfree software—software which denies its users the freedoms of free software—which is also appropriately called user subjugating, proprietary software—not nationalism. There are plenty of software distributors in other countries that mistreat their users by distributing proprietary software. All proprietary software is inherently untrustworthy because proprietary software doesn't grant its users software freedom. Some distributors distribute proprietary software precisely because they know they stand a good chance of getting away with malware (including digital restrictions, spyware, ransomware, and backdoors).

--
Digital Citizen
1. Re:Software freedom, not nationalism, is needed. by Flavianoep · 2016-03-29 03:55 · Score: 1
  
  Tell me, you are the "apps apping apps" guy, aren't you?
  
  --
  Linux is for people who don't mind RTFM.
File manager by Anonymous Coward · 2016-03-29 03:30 · Score: 0

One of the most popular file managers for android is being developed by anonymous Chinese developer company. Try to find any info about it, you can't. Maybe it's time to say it loud.
1. Re: File manager by Anonymous Coward · 2016-03-29 11:20 · Score: 0
  
  Like its name?
Unsecured and unencrypted? by phorm · 2016-03-29 03:39 · Score: 1

Actually that might be a good thing. For one, the bad traffic was easily found, and for another it might be rather easy for some enterprising individual to mock-up some traffic and feed their servers with junk data...
Why are they using these browsers by Anonymous Coward · 2016-03-29 03:40 · Score: 1

Anyone know the reason why people in China would be using QQ, etc over more typical stuff elsewhere? It seems like these browsers are made by various Chinese online services - why are they popular? Or is just one of those things where a tiny minority of Chinese users are using these things and that's still a huge number?
1. Re:Why are they using these browsers by Anonymous Coward · 2016-03-29 04:59 · Score: 0
  
  The same reason why Americans drive cars made by General Motors. It's a mixture of patriotism and local companies scratching their itches better than foreign companies. You have gotten so used to Europe just eating up the American way of life that you can't conceive of a country where people don't automatically think of American products as "modern".
2. Re: Why are they using these browsers by Anonymous Coward · 2016-03-29 05:06 · Score: 0
  
  It's very simple really; everyone in China that uses the internet basically uses QQ (the web portal). If you don't use QQ you are a luddite (in peoples' opinions). Therefore, everyone just uses it.
  Also, in China, things like online security don't even come into peoples thoughts at all. They don't think about it and even if it's brought up, they just don't care.
  Then again, this is your average internet user anywhere, it's just that here in the US we don't have a massive web portal like QQ, which would be like Amazon, YouTube, Facebook and Netflix all being the same website (and more).
Chrome by Anonymous Coward · 2016-03-29 03:55 · Score: 0

I'm logged in to Chrome, and somehow all my computers know all my form data and browsing history. How do they do it?
Time for a simple basic web browser? by Anonymous Coward · 2016-03-29 04:05 · Score: 0

Isn't it time there was a simple web browser that could be used to view videos and images without the risk of things calling home. Why do existing browsers *need* to connect to the root window of the display and refuse to run under any other UID apart from the display owner?
A very appropriate name for that browser. by Anonymous Coward · 2016-03-29 04:08 · Score: 0

Lot of QQing if you use it.
Re:this is different from Goog or MS... how, again by ShanghaiBill · 2016-03-29 04:18 · Score: 4, Interesting

I've never even heard of the QQ browser
QQ is huge, used by hundreds of millions of people. It is far more than just a browser. It is an entire social network, with forums, games, and even a virtual currency, QQCoin. When my daughter wanted a dog, I bought her a virtual dog on QQ instead, and told her that I would get her a real dog if she could take care of the virtual dog for a year, and give it virtual food and virtual water everyday (costing more QQCoin). Unfortunately, when we went on vacation, she forgot to suspend it, and it starved to death while we were gone. I also used QQCoin to buy a virtual mink coat for my wife's avatar. So she has a mink coat that all her chat-friends can see, yet no actual minks are harmed. Win-win.
Coming soon by Anonymous Coward · 2016-03-29 04:19 · Score: 0

Soon coming to America in November 2016.
I Am Shocked! by Anonymous Coward · 2016-03-29 04:30 · Score: 0

I am shocked to hear that this is happening. Next you'll be telling me that there is gambling in this establishment.
Here's another shocker for you:
Google Chrome does the same thing, albeit via an HTTPS channel.
Let's not ignore the log in our own eye here. by Anonymous Coward · 2016-03-29 04:32 · Score: 1

I see a lot of comments about how this should just be assumed because it's China. The irony is that the very same assumptions are being made about U.S. tech based on the behavior of the government and corporations. Let's be clear here: It's wrong when the Chinese government or corporations do it, and it's wrong when the U.S. government or corporations do it. And, if we're not careful, the U.S. is going to look a lot more Chinese as time goes on, and the rest of the world will simply stop buying what we are selling.
How is this a big deal by Anonymous Coward · 2016-03-29 04:55 · Score: 1

given that Google Web Search, Chrome, and Windows, sends even more sensitive information on you back to Google and Microsoft? Typical anti-Chinese propaganda.
1. Re:How is this a big deal by Actually,+I+do+RTFA · 2016-03-29 10:56 · Score: 1
  
  Chrome has an option not to send info to Google (is it respected?). And you can hide your google searches by using a variant like startpage.
  And MS didn't start that til Windows 10. Although, people have collectively lost their shit over Windows 10 (correctly so).
  
  --
  Your ad here. Ask me how!
#accidentallyonpurpose by sydbarrett74 · 2016-03-29 05:05 · Score: 2

Doubtless, this is a 'feature' mandated by the Chinese government and not a bug.

--
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Re:this is different from Goog or MS... how, again by asasdlfgnjl · 2016-03-29 05:16 · Score: 1

Theres a browser that will one up QQ, Opera. Opera does all of that, and also reads what pages you have on speeddial, uploads to server and can inserts ads into speeddial based on it.
Re:this is different from Goog or MS... how, again by Anonymous Coward · 2016-03-29 06:00 · Score: 0

I also used QQCoin to buy a virtual mink coat for my wife's avatar. So she has a mink coat that all her chat-friends can see, yet no actual minks are harmed. Win-win. . . . So does the wife now give you virtual poontang?
yeah. Like this is a surprise? by WindBourne · 2016-03-29 06:55 · Score: 1

Obviously, they have to give up all data to the chinese gov. This is so that the wonderful Chinese gov can keep their ppl safe. It would NEVER be about restricting their access or finding out who is locating information about freedom.

--
I prefer the "u" in honour as it seems to be missing these days.
You're not very good at this THINKING thing... by Anonymous Coward · 2016-03-29 08:27 · Score: 0

China is a communist nation with one-party-rule and EVERYTHING is on some level tied to the government and its military and spies. Technically, as a communist nation, the government owns everything and everybody works for the government and the communist party. Any illusory "freedom" and independent business activity is just that - an illusion. If the Chinese government orders a supposedly independent business to inject spy tech into its products it must do so with no questions asked, but it probably needs to issue no such order because the operators of the so-called business are probably loyal party members.
In the US, the businesses are in fact quite separate from the government and if the government wants one to do something it likely needs to go to court - which would defeat the purpose by making the incident public. In the US, a company like Apple feels perfectly safe standing up to the government and calling for its day in court. During the entire Apple/FBI cellphone incident, Tim Cook and his employees never had to fear that they or their families might suddenly disappear in the night and end up being executed or sent to labor camps. In the US, people (both the "individual" (biological) sort, and the (synthetic) "corporate" sort) have God-given legal rights protected by the Constitution. Communist nations like China recognize no such right that trumps government authority.
Re:this is different from Goog or MS... how, again by Anonymous Coward · 2016-03-30 05:43 · Score: 0

>So does the wife now give you virtual poontang?
online, yes.
in mom's basement, not so much, no.