Wup Woh: Security Issues with Another China-based Browser

“Once is happenstance. Twice is coincidence. The third time, it’s enemy action” – Ian Fleming, Goldfinger

The Citizen Lab is releasing a new report today authored by Jeffrey Knockel, Adam Senft, and myself, entitled: “WUP! There It Is: Privacy and Security Issues in QQ Browser.”*   The report is a continuation of the research we have been doing on privacy and security issues in popular Asia-based applications, and in particular China-based mobile browsers. Previous Citizen Lab reports found major security and privacy issues in UC Browser and Baidu Browser.  We now find strikingly similar problems in a third Chinese application, QQ Browser.

As we detail at length in the report (based on Jeffrey Knockel’s reverse engineering and technical analysis), we find QQ Browser is collecting a lot of highly sensitive information about users (what a user is searching for and where they are located) and users’ devices (IMEI number, SIM Card number, etc) and then transmitting all of this data either completely unencrypted or in an easily decrypt-able format back to Tencent’s servers (Tencent is the parent company of QQ).

We also identify a major vulnerability in the software update process, which would allow any malicious actor to easily spoof the automatic browser update with malware and then completely take over a user’s device.  In our report, we demonstrate this vulnerability by installing Angry Birds.  We could have just as easily installed spyware as a software update — and then turn on the microphone and camera, harvest user information, send spoofed emails or instant messages from the device, or change any of its security settings.

The threats for users of the privacy and security issues we found are numerous and troubling, especially in a context like China.  The insecure transmission of highly sensitive user data means that any actor with visibility along any point of the networks through which QQ’s data passes (WiFi cafes, ISPs, telcos, etc) could collect all of it and share it with anyone they want.  The software vulnerability update process means that any of those same actors along any of those network paths could also trivially push a fake update to the device and take it over in the same way we did.  The collection and insecure transmission of very invasive persistent identifiers hard-baked into a user’s device (IMEI number, SIM card number, serial number) is a gold mine for law enforcement and SIGINT agencies, as clearly demonstrated in the Snowden disclosures – since they can use these device identifiers to track people as they move around — as most of us do — with devices in our pockets.

Most concerning of all, of course is that these problems are situated in the context of China — a country with one of the world’s most extensive censorship and surveillance regimes; a country that compels all Internet companies, like Tencent, to turn over user data upon request to security services; a country that has recently passed a far-reaching anti-terrorism law that requires service providers to decrypt communications when the government asks; a country that is in the midst of a dramatic tightening up of laws and regulations around social media use; and a country that routinely incarcerates, detains, or harasses human rights activists, lawyers, activists, and others the regime deems to be subversive, both within mainland China and abroad.

Why is QQ collecting all of this highly invasive user data and transmitting it back to its servers in an insecure fashion? And, why are three of the most popular mobile browser applications in China all suffering from nearly identical problems?

As with UC Browser and Baidu Browser, we engaged in a responsible notification process to QQ’s security engineers (who only partially fixed the issues), and then sent detailed questions to the parent company, Tencent, answers to which we promise to publish in full alongside our report.  At the time of publication, however, Tencent has not replied to those questions.

Without those answers, we can only speculate.  It could be that the engineers are all following the same sloppy security and aggressive data collection practices as a coincidence.  Or, it could be because sloppy security and aggressive data collection practices are the norm in the application development industry, and these engineers are just doing what’s normal.  But given the context in China described above, one cannot help but speculate that there is something else more nefarious going on.

Regardless of the reasons, the effect is the same: millions of users of these applications are exposed to serious, perhaps life threatening, privacy violations and security risks.

Read the full report here: https://citizenlab.org/2016/03/privacy-security-issues-qq-browser/

Read the Washington Post story here: http://wpo.st/skzP1

Read the Wall Street Journal story here: http://on.wsj.com/1ohHbIy

*The title “WUP! There It Is” is a reference to the insecure transmission of user data sent by QQ Browser across the network, which they designate as “WUP” requests.