TORONTO – A popular web browser in China may be putting the personal information of hundreds of millions of users at risk, a new report has found.
Tencent’s QQ browser has 853 million monthly active users, according to the company’s most recent public figures. The majority of its users live in China and other countries in Asia.
The browser’s Android and Windows versions send personal data to the company’s servers either without encryption or with encryption that can be easily decrypted, according to a report from the Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs. This personal data includes the URL addresses of visited sites.
A public wifi network or another third party could acquire users’ personal data by collecting traffic and decrypting the information.
The report also exposed privacy vulnerabilities in how the two browser versions update software. Someone could spoof such an update and install malicious code, like a spyware program, on a QQ browser user’s device, the authors found.
QQ browser users generally would not be aware of these risks, the authors wrote, and would likely be concerned about the privacy breach if they knew.
In China, the security breach could pose problems for democracy activists, human rights advocates and other so-called high-risk Internet users, according to the report.
The report studied the Android version 9.2.5478 and the Windows version 6.3.01920.
Citizen Lab’s director Ronald Deibert sent a letter to Tencent in mid-March asking if the company plans to correct the uncovered privacy vulnerabilities. Tencent did not provide answers prior to the report’s publication.
However, Tencent did release updates to its Android and Windows versions before the report was published. Both new versions resolve some of the privacy issues.
Citizen Lab has previously found similar privacy concerns with UC browser and Baidu browser.
Former National Security Agency contractor Edward Snowden also leaked documents that indicated the Five Eyes intelligence alliance, which includes Canada, used the UC browser’s privacy shortcomings to identify and track users, according to the report.
The similarities between the three browsers’ privacy concerns could be a coincidence, the adherence to industry standards, the result of government directives or informal pressure from officials or businesses, or a mix of the latter two factors, the authors suggest.
All these causes require more research, they say.