Chinese QQ Browser Caught Sending User Data To Its Servers

An anonymous reader writes: A report from the Citizen Lab at the University of Toronto reveals that the popular QQ Browser is collecting sensitive user information and sending it in an insecure manner to its servers. The Android version is collecting data such as the user's search terms, browsing history, nearby Wi-Fi networks, and the user's device IMSI and IMEI codes. For the Windows version of QQ Browser, the app was caught collecting data such as the user's browsing history, hard drive serial number, MAC address, Windows hostname, and Windows user security identifier. All of this is sent unencrypted, or with a weak encryption, to Tencent's servers, QQ Browser's manufacturer. Additionally, the update process is flawed and delivered in an insecure manner that allows others to manipulate upgrade patches with malicious software. This is the third browser caught exhibiting this behavior after UC Browser and Baidu Browser.

Chinese browser leaks data?

[Frosty Piss]

I'm shocked! Shocked, I tell you!

Re:

[Rob MacDonald]

Couldn't mod this up as I don't have any points, but you totally stole my comment and opinion on this one.

Re:

[Rob MacDonald]

yes and no, we already knew they could do this, it's just a pain in the ass. What they wanted was a court order to force Apple to provide access to, or build, back doors into the phone bypassing encryption and lockscreen. That's what they wanted, to force apple into a new, vulnerable, firmware

Re:

[Frosty Piss]

Almost as shocked as when I realized there are people who exist that thought the iPhone COULDN'T be cracked by the letter agencies.

You are talking about an iPhone 4 , which is an older phone that does not use the same type of security and encryption as newer iPhones.

Re:

[JustAnotherOldGuy]

I'm shocked! Shocked, I tell you!

Beat me to it.

Yes, this certainly is shocking news, who could have seen this coming?

Re:

[Anonymous Coward]

I had a Chinese browser once.

Half an hour later I wanted another one.

Re:

[ShanghaiBill]

It is not just the Chinese government. It is also part of Chinese culture. Chinese people have very different expectations of privacy. In China, people will walk into rooms without knocking, ask extremely personal questions, and stick their nose into other people's affairs far more than an American would. I once took my daughter to see a doctor in Shanghai, and the waiting area and the doctor were in the same room. There was a row of chairs, and as each patient was finished, everyone shifted over one s

Re:

[tnk1]

I'm shocked! Shocked, I tell you!

If only there was some gambling in that browser, it would be so much better.

Software freedom, not nationalism, is needed.

[jbn-o]

The real problem is nonfree software—software which denies its users the freedoms of free software [gnu.org]—which is also appropriately called user subjugating, proprietary software—not nationalism. There are plenty of software distributors in other countries that mistreat their users by distributing proprietary software. All proprietary software is inherently untrustworthy because proprietary software doesn't grant its users software freedom. Some distributors distribute proprietary software precisely because they know they stand a good chance of getting away with malware (including digital restrictions, spyware, ransomware, and backdoors).

Re:

[Flavianoep]

Tell me, you are the "apps apping apps" guy, aren't you?

Re:

[eumoria]

In other news: The sun rose today!

Please forgive me

[Anonymous Coward]

"In Communist China, internet browses YOU!"

Re:

[Zocalo]

Also in Communist China, QQ Browser rage quits YOU!

Seriously, was there a deliberate clue in the name or something?

Re:

[Rob MacDonald]

I do not think chrome is syncing my fucking windows SID, but you know what? I never actually checked. so, for any app to sync my bookmarks, it needs my login to said app, then my bookmarks. so WTF is it doing sending :hard drive serial number, MAC address, Windows hostname, and Windows user security identifier.? My hard drive serial number? That helps "sync my bookmarks?" Come the fuck on man

Re:

[Anonymous Coward]

I'd imagine you are correct. However, as devil's advocate - here we go.

Windows hostname - so that it can show you what tabs / sites you have had open on each device. Chrome also shows this. Also so it can show the machine name of any "suspicious" log on attempts.

Windows user SID - many people share a computer. One logs off, the next logs on. So it may need more than hostname to sync the bookmarks for more than one person.

HD Serial Number - yeah that one makes no sense. It isn't even useful information fo

Re:

[crbowman]

Forget about why it's sending the hard drive serial number. Why is windows (or any os) giving an app my hard drive serial number? What possible use could there be for that without some sort of security/privacy dialog?

Re:

[FrankHaynes]

I've never even heard of the QQ browser, but my sentiments are along the same lines as yours.

When you live in the cloud, it's easier to get rained on.

Re:this is different from Goog or MS... how, again

[ShanghaiBill]

I've never even heard of the QQ browser

QQ is huge, used by hundreds of millions of people. It is far more than just a browser. It is an entire social network, with forums, games, and even a virtual currency, QQCoin. When my daughter wanted a dog, I bought her a virtual dog on QQ instead, and told her that I would get her a real dog if she could take care of the virtual dog for a year, and give it virtual food and virtual water everyday (costing more QQCoin). Unfortunately, when we went on vacation, she forgot to suspend it, and it starved to death while we were gone. I also used QQCoin to buy a virtual mink coat for my wife's avatar. So she has a mink coat that all her chat-friends can see, yet no actual minks are harmed. Win-win.

Re:

[aix tom]

That sounds a terrible lot like the behaviour of both Google and Microsoft, which people seem to accept without a problem. How exactly is this any different, except whereas Google also tries to gather other things like the contents of your emails and your social contacts?

To be fair, both Microsoft and Google will probably use better encryption while stealing your data, so that it is not discovered that easily.

Re:

[Frosty Piss]

That sounds a terrible lot like the behaviour of both Google and Microsoft, which people seem to accept without a problem.

Perhaps this is the problem:

...and sending it in an insecure manner to its servers.

Re:

[asasdlfgnjl]

Theres a browser that will one up QQ, Opera. Opera does all of that, and also reads what pages you have on speeddial, uploads to server and can inserts ads into speeddial based on it.

Popular?

[xxxJonBoyxxx]

You say this is a "popular" browser, but who really runs a non-standard browser anyway? (I just haven't seen it.)

Re:

[jimbob6]

The worlds most popular beer is or Snowflake beer but you probably haven't heard of that either.

Re:

[jimbob6]

Encoding screwed that post up. There's supposed to be a Chinese word in there that translates to "Snowflake beer".

Just like another

[Anonymous Coward]

Chrome does the same thing, when will it get a ./ article?

You know what would really be shocking?

[JustAnotherOldGuy]

What would really be shocking is if it didn't send data back to some Chinese mothership somewhere.

Unsecured and unencrypted?

[phorm]

Actually that might be a good thing. For one, the bad traffic was easily found, and for another it might be rather easy for some enterprising individual to mock-up some traffic and feed their servers with junk data...

Why are they using these browsers

[Anonymous Coward]

Anyone know the reason why people in China would be using QQ, etc over more typical stuff elsewhere? It seems like these browsers are made by various Chinese online services - why are they popular? Or is just one of those things where a tiny minority of Chinese users are using these things and that's still a huge number?

Let's not ignore the log in our own eye here.

[Anonymous Coward]

I see a lot of comments about how this should just be assumed because it's China. The irony is that the very same assumptions are being made about U.S. tech based on the behavior of the government and corporations. Let's be clear here: It's wrong when the Chinese government or corporations do it, and it's wrong when the U.S. government or corporations do it. And, if we're not careful, the U.S. is going to look a lot more Chinese as time goes on, and the rest of the world will simply stop buying what we are

How is this a big deal

[Anonymous Coward]

given that Google Web Search, Chrome, and Windows, sends even more sensitive information on you back to Google and Microsoft? Typical anti-Chinese propaganda.

Re:

[Actually, I do RTFA]

Chrome has an option not to send info to Google (is it respected?). And you can hide your google searches by using a variant like startpage.

And MS didn't start that til Windows 10. Although, people have collectively lost their shit over Windows 10 (correctly so).

#accidentallyonpurpose

[sydbarrett74]

Doubtless, this is a 'feature' mandated by the Chinese government and not a bug.

yeah. Like this is a surprise?

[WindBourne]

Obviously, they have to give up all data to the chinese gov. This is so that the wonderful Chinese gov can keep their ppl safe. It would NEVER be about restricting their access or finding out who is locating information about freedom.