Baidu web browser branded a privacy nightmare

Personal data transmitted unencrypted back to base in Beijing by Chinese company's 'insecure' web browser

A web browser designed by Baidu, one of China's biggest internet companies, is catastrophically insecure, according to an examination by Canada's Citizen Lab.

"Baidu Browser, a web browser for the Windows and Android platforms, transmits personal user data to Baidu servers without encryption and with easily decryptable encryption, and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks," warned the report.

It continues: "The Windows version of the Baidu Browser... transmits a number of personally identifiable data points, including a user's search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption."

The Android version of Baidu's browser was even worse. It "transmits personally identifiable data, including a user's GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user's IMEI and a list of nearby wireless networks with easily decryptable encryption".

Furthermore, software updates are not protected by digital signatures, enabling attackers to potentially download and execute arbitrary code disguised as a browser update.

In response to the issues raised in the report, Baidu admitted that most issues currently remain unresolved. It promised to "significantly strengthen information security, and [make] complete changes to the mobile browser before the end of February and to the PC browser by early May of this year".

The catastrophic flaws in Baidu's browser, though, may explain the willingness of a consortium of Chinese companies to pay way over the odds for Norway's Opera Software, maker of the eponymously named web browser.

The consortium buying the company includes Chinese security software company Qihoo 360 and internet firm Beijing Kunlun Tech. The deal is backed by the investment funds Golden Brick and Yonglian Investment.

Baidu is China's most popular search engine - a position aided by the Chinese government's own 'great firewall', which has helped to keep pesky foreign rivals like Google out of the Chinese market.

Security will be one of the big issues tackled in Computing's Internet of Things Business Summit in May. For more details, including how to register. Please see Computing's Events website.