Baidu Browser Acts Like a Mildly Tempered Infostealer Virus 97
An anonymous reader writes: The Baidu Web browser for Windows and Android exhibits behavior that could easily be categorized by a security researcher as an infostealer virus because the browser collects information on its users, and then sends it to Baidu's home servers.
Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models, CPU serials, and personal browsing history. The browser collected and sent this information on startup, when the user started typing content in his address bar, and on any page view. Some of this was sent via unencrypted connections. Additionally, the browser update did not use code signatures, meaning you could man-in-the-middle the connection and send anything you'd like to the browser, from Pokemon games to banking trojans, and have it installed locally.
Both versions collected waaaaay to much information that has nothing to do with analytics, like hard drive models, CPU serials, and personal browsing history. The browser collected and sent this information on startup, when the user started typing content in his address bar, and on any page view. Some of this was sent via unencrypted connections. Additionally, the browser update did not use code signatures, meaning you could man-in-the-middle the connection and send anything you'd like to the browser, from Pokemon games to banking trojans, and have it installed locally.
Re: (Score:1)
Have a rice day.
Re: (Score:1)
Re:Crome (Score:5, Interesting)
I keep hearing this. Where are the packet dumps showing what info is collected?
Re:Crome (Score:5, Interesting)
Found this on reddit:
've seen theres a lot of speculation on whether the observed network connections from Windows 10 with privacy options on are actually spying or not, and figured some actual evidence would be in order.
Anyone can recreate this for themselves:
Fresh install of Windows 10.
Set all privacy options to off, disable cortana, disable web search
Ensure all updates are done. Close all programs.
Install Fiddler, and enable HTTPS sniffing. (If you use wireshark, you wont be able to view the HTTPS)
Press stream in fiddler.
Click the windows search bar, type any letter, watch the HTTPS session to bing.com appear.
Im still trying to figure out exactly what it is that it is transmitting, but its for sure sending a user-agent string that identifies itself as Cortana.
Some observed behaviors:
Clicking on a link from an application (in this case, a download link from within Fiddler) submits the URL you are visiting to urs.microsoft.com.
Opening applications-- even with SmartScreen disabled-- opens sessions to apprep.smartscreen.microsoft.com and, among other things, submits the hash of the application. EDIT: Apparently you must also disable smartscreen in edge. Even so, it will initiate a connection to w.apprep.smartscreen.microsoft.com
Typing anything into the search bar will, regardless of settings, initiate an HTTPS session to www.bing.com. It will transmit a cookie, though so far I have not seen anything in there that looks like keystroke monitoring, as the only thing that appears to change between attempts is an HV section of the cookie. It appears to be downloading javascript, and submitting identifying data (screen resolution, install date, SID). The URL it uses is https://www.bing.com/manifest/... [bing.com]
Opening the settings app and going into account options sometimes opens a session to public-family.api.account.microsoft.com:443. I suppose this would be expected.
Re:Crome (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
They just got rid of the "no".
Re: (Score:1)
No. They got rid of it and replaced it with "Do as we say, not as we do."
Re: (Score:2)
It is definitely different in the scope of what is being collected. It is important to make a distinction even if they are both intrusive to some degree.
Re: (Score:3)
It's different in that it's information are set to those horrible Chinese people, instead of those wonderful people at Google who have that sweet "Do no evil" motto.
Chromium is open source, so you know exactly what's being transmitted, and you can audit it yourself if you like. Baidu is a black box and you have no idea what's coming or going.
Re: (Score:1)
All 'telemetry' is SPYING. (Score:4, Insightful)
All 'telemetry' is SPYING.
True to life (Score:1)
Re: (Score:3)
Yes. You should not instantly mistrust it because it sounds Asian. That would be wrong.
You should mistrust it because this is Baidu you're talking about here.
Re: (Score:2, Insightful)
Baidu [wikipedia.org] is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?
As a Chinese "Google," it also 100% caves into any and all government requests for censorship, page removal, data, whatever. You know there's a reason why there is no google.cn, right? And why half the time Google and all its services are blocked (not sure of the current state--it tends to go back and forth) in China.
Re: (Score:2)
Baidu [wikipedia.org] is the Chinese "Google", the biggest Chinese search engine provider. According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?
Who cares about the Alexa rank of site? Yahoo.com [alexa.com] is also one of the five most visited websites in the world and people here keep saying it's not relevant anymore.
Re: (Score:1)
Re: (Score:2)
It's just wrong, yahoo is still the favourite search engine for many, even when they start by typing yahoo in their google searchtoolbar.
Re: (Score:1)
According to Alexa, it's one of the five most visited web sites in the world. Would you like fries with your ignorance?
There are 1.3 billion people in China, where google is banned and blocked, so I'm not sure why you're surprised that their government's replacement is one of the most heavily visited on the planet. Or why you'd be surprised that it's heavily monitored, or why you'd be surprised that the App for it does everything it can to suck as much data as it can on anyone who uses it.
Re: (Score:2)
Re: (Score:1)
Baidu is the equivalent of Google (which is blocked in China but wasn't that popular to begin with) for 1.3 billion Chinese. It's the first place they go to search. Like Google, there are alternatives. When my phone broke in China and I had to buy a new Android phone, it came (like most phones in the Chinese market) with Baidu everything -- Baidu app store, Baidu browser default, etc. Remember that Google (including Google play) is blocked, so these are the default Android apps. In other words, it has
Re: (Score:1)
China. (Score:4, Insightful)
What else would you expect?
Re: (Score:2, Insightful)
microsoft, google, and facebook are u.s. companies... datamining users for fun and profit and for government goodwill is not country-specific.
Re: (Score:2)
microsoft, google, and facebook are u.s. companies... datamining users for fun and profit and for government goodwill is not country-specific.
Yes, but Facebook, Google, Apple and Microsoft are all Companies, therefore any action they take is doubleplus(R) good(TM). Baidu is partially state owned by the Chinese, therefore that is Baaaaad.
It seems like you're starting to de-capitalise comrade, report to the neared Rand centre for re-education citizen.
Re: (Score:3)
With the number of hacks coming from China, I'd at least expect them to understand the value of signing their code.
waaaaay too pregnant (Score:4, Insightful)
Both versions collected waaaaay to much information that has nothing to do with analytics...
This is a meaningless statement, mostly because "analytics" is always a just a weasel-word for "spying". The only acceptable amount is zero.
Re: (Score:2)
Not really.
If you run a grocery store and you put X on the left in one store, and on the right in another, and you record that it sells better when on the left, and then change all your stores, that's analytics too. Its not "spying", its not a weasel word for spying.
There are all kinds of ways one can do analytics without "spying". Hell, serving have your web visitors one ad, and half the other and seeing which has a better sales coversion rate, that's analytics too.
Re: (Score:2)
Yes, okay, fine, I misspoke: The word "analytics" can mean things other than spying. Just not in the context of web browsers that phone home. There is no God damn thing about my browsing habits I want the maker of my browser knowing. Not what, not where, not when, not how long, not how much, not what type. I guess I'm not too worried about them knowing I downloaded it, but then again, if I could conceal even that datum from them, I would.
Re: (Score:2)
waaaaay to much leniency (Score:2, Interesting)
timothy, do your job ffs. and by that I don't mean shill for your benefactors, I mean EDIT.
Re: (Score:2)
I noticed that, to.
Re: (Score:2)
The same way any other locally-executing program gets it? We're talking about the browser executable itself here, remember, not some web page executing in the Javascript sandbox.
Re: (Score:2)
I actually think they meant the ProcessorId, not the serial number.
In a Windows command prompt, type:
wmic cpu get ProcessorId
You can get it for RAM
wmic memorychip get serialnumber
This information and others are exposed in APIs and is available to whoever wants to use it.
There are similar capabilities in most OSes. They're actually useful informational commands to have, but certainly you don't want to just start throwing them around the Internet.
Re: (Score:2)
* accepting wmic from the internet (be it through an open port/MiTM/code injection/whatever) can allow the installing/removing/disabling of the windows firewall, patches, services, etc. - That qualifies as both bad and harmful.
* passing the output of wmic commands on the internet can allow specific targeting of your machine base
Baidu is relentless (Score:5, Interesting)
The Baidu search spider is relentless...I see thousands of connections and scans from it every day on many of the sites I own and admin. The logs often contain literally tens of thousands of lines of Baidu requests, and the spider completely ignores the robots.txt file. For example, this usually does not work:
#Baiduspider / ...and neither do most of the other snippets and directives that are supposed to block the Baidu search spider, because it often misrepresents itself.
User-agent: Baiduspider
Disallow:
The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs. It's almost easier just to block all of China.
Re: (Score:1)
It's almost easier just to block all of China.
I was going to make a joke about what a devilishly clever scheme this is - to make the rest of the world implement a great firewall of China, rather than having to do it themselves... but now I'm not completely positive anymore that it would not contain a grain of truth...
robots.txt (Score:2)
This whole idea of robots.txt is dumb. Its based on the honor system. Imagine if the rest of internet security worked like that. Plenty of awesome sites have gone away and not been archived because of robots.txt.
Re: (Score:1)
Re: (Score:2)
...The only relief is to block the IPs that Baidu comes from, but it's a huge range, hundreds of IPs....
I also have been assaulted by the baiduBot relentless search patterns.
.
It is one of the very, very few search bots that do not follow robots.txt directives. (bing and yandex being the other two that I've seen)
Re: (Score:1)
So who wrote the spider? Baidu or 3PLA? [wsj.com]
fixed it for you (Score:1)
Hey! Stop that! (Score:2)
That's the OS' business!
Remember this, people (Score:3)
While I'd be the LAST one to exonerate the misdeeds of my own United States...for all those decrying the "US controls the internet" and all the painting of the US as some sort of malignant capitalist force in the world generally: understand that your actual choice ISN'T the US vs whatever utopia you have cooked up in your head where governments aren't power-hungry monsters and commerce is run by the pleasant hippy guy down at your local co-op who gives you free snacks and coffee "for whatever you feel is fair, dude".
No, the ACTUAL choices in the world we live in are: ...as your superpowers.
- the US
- China
- maybe Russia
As much as the US is deeply flawed in many ways, it's still orders of magnitude more benign than the alternatives.
Re: (Score:2)
While I'd be the LAST one to exonerate the misdeeds of my own United States...for all those decrying the "US controls the internet" and all the painting of the US as some sort of malignant capitalist force in the world generally: understand that your actual choice ISN'T the US vs whatever utopia you have cooked up in your head where governments aren't power-hungry monsters and commerce is run by the pleasant hippy guy down at your local co-op who gives you free snacks and coffee "for whatever you feel is fair, dude".
No, the ACTUAL choices in the world we live in are: ...as your superpowers.
- the US
- China
- maybe Russia
As much as the US is deeply flawed in many ways, it's still orders of magnitude more benign than the alternatives.
Swap Russia for the EU.
Whilst they're slow to act, they are a force to reckon with once roused. They are the single largest economic bloc and are definitely a super power militarily.
Russia has lost superpower status and has fallen in to the BRIC group of minor powers (Brazil, Russia, India, China).
Re: (Score:2)
The EU a "super power" militarily? Bwahaha.
First, you need to have a military: They couldn't even bomb some Libyan bandits without running out of bombs and needing US air control and mid-air refueling. 5 of the 28 members of NATO even bother to meet their treaty-obligated minimum defense budgets, much less anything more. Most EU country militaries are barely more than ill-concealed jobs programs, and are populated a few patriots but mostly by the hopeless dregs that for some reason can't simply do nothin
Grammar Nazi says... (Score:1)
*too