Discovered that Chinese made browser sent page history / search history · neighborhood Wi-Fi · HDD serial number etc

Tencent's web browser known as China's largest instant messenger "QQ"QQ Browser"Has revealed that personal information such as pages visited by users, search phrases, Wi-Fi access points in the vicinity, serial numbers of hard disks (HDD), Android ID, etc. were being sent to the server. In addition, it is pointed out that this information transmission is not encrypted and it is a big security risk.

WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab
https://citizenlab.org/2016/03/privacy-security-issues-qq-browser/

Researchers identify major security and privacy issues in Popular China Browser Application, QQ - The Citizen Lab
https://citizenlab.org/2016/03/researchers-identify-major-security-and-privacy-issues-in-popular-china-browser-application-qq/

This fact was found in the University of Toronto CanadaCitizen Lab. According to Citizen Lab, in Windows version v9.2.5478, the "page URL viewed", "MAC address", "PC name", "HDD serial number" etc, and so on in the Android version v6.3.01920IMEI"IMSI"SSID of connected Wi - Fi" "Search queries entered in address bar" etc are sent. In addition, it is known that these pieces of information were transmitted in an unencrypted state or transmitted in a relatively easy-to-decrypt state of 128-bit RSA encryption even if encrypted. By the way, the encryption process used by QQ Browser is a system called MTEA + CBC which is not so common, and Citizen LabChinese made browser "Baidu Browser" pointed out privacy & security risk in February 2016It is said that it is the same implementation as.

The fact that QQ Browser gathering information that can identify a user and possibly even an individual without permission is a matter of course, but it is easy to decipher whether these personal information is not encrypted Since it is being transmitted in a state where it can be transmitted, it is likely that the risk that the information is diffused by being intercepted by a malicious third party is also a problem.

Furthermore, according to Citizen Lab, there is a vulnerability in the QQ Browser, and there is a risk that arbitrary code will be executed at the time of software update when this vulnerability is taken.

ByDon Hankins

On February 5, 2016, Citizen Lab reported to the developer Tencent that the QQ Browser is gathering excessive information and has vulnerabilities to execute arbitrary code, etc. For details We sent a questionnaire asking for the answer, asking for responses within 45 days from notification, but since Tencent did not respond as of March 28, 2016, we release information collection by QQ Browser to public That is why I took it.

Tencent updated QQ Browser on Windows 2 v9.3.6872 on March 2, 2016 and 6.4.2.2075 on Android version, so I checked whether it solved the problem pointed out by Citizen Lab, and found out that Windows version , It was confirmed that the MAC address, the serial number of the HDD, and the information for PC identification are still transmitted with an algorithm that can be easily deciphered. Also, regarding the Android version, although the problems reported are partially resolved, there are unresolved issues as well. Although it seems that it was confirmed that the encryption RSA key was changed from 128 bits to 1024 bits, Citizen Lab points out that it is preferable to use an encryption key of at least 2048 bits or more.