Alibaba's Huge Browser Business Is Harvesting The 'Private' Web Activity Of Millions Of Android And iPhone Users (forbes.com) 50
Security researcher Gabi Cirlig's findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they're in incognito mode or not, is sent to servers owned by UCWeb. From a report: Cirlig said IP addresses -- which could be used to get a user's rough location down to the town or neighborhood of the user -- were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it's not currently clear just what Alibaba and its subsidiary are doing with the data.
"This could easily fingerprint users and tie them back to their real personas," Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple's iOS, he didn't even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). "This kind of tracking is done on purpose without any regard for user privacy," Cirlig told Forbes. When compared to Google's own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he'd looked at other major browsers and found none did the same as UC Browser.
"This could easily fingerprint users and tie them back to their real personas," Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple's iOS, he didn't even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). "This kind of tracking is done on purpose without any regard for user privacy," Cirlig told Forbes. When compared to Google's own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he'd looked at other major browsers and found none did the same as UC Browser.
Re: Frosty Piss (Score:2)
Re: (Score:2)
Itâ(TM)s a good thing the app stores vet their apps
At least they could pull spying or phishing apps after the fact, when brought to their attention. But even that is too much for them.
Re: (Score:3)
And you now start to get upset that Alibaba also does what Google, Facebook, Amazon and Apple already are doing.
We definitely live in the world of Max Headroom. All we need now are blipverts, but on the other hand we got the 'rona.
Re:Frosty Piss (Score:4, Informative)
And you now start to get upset that Alibaba also does what Google, Facebook, Amazon and Apple already are doing.
I get the tradition of not reading the article and suff, but in the summary above it's clear that Google, Amazon and Apple are not actually doing this*. It's pretty much implicit in the headline too.
* if you use anything from Facebook, you got what you deserve, (Zuck: They "trust me" / Zuck: Dumb fucks)
Re: (Score:3)
So then tell me why Google Maps asks you how your visit was to a certain place even though you have turned off all your tracking.
Re: (Score:2)
I would be more surprised (Score:5, Insightful)
if something owned by the Chinese *didn't* spy on you or report back to the authorities.
Re: (Score:1)
Thank you for the whataboutism. That is a pointless, and irrelevant argument. If you have evidence the US is doing it, by all means come to Slashdot and show that a browser is sending all data to .us addresses.
The problem about China is that the state has the final say of what happens in their corporations. Any project on Chinese soil has to be 51% owned by a domestic company. To visualize, it would be like every US company having a board of CIA/NSA/DHS/DEA people who get to review all company stuff, ha
Re: (Score:2)
Yeah, gonna have to disagree that the fanatical authoritarian tyrants running China have no impact on us here in the US. They do.
Re: (Score:2)
In many ways. First, they have poor data privacy practices. Using a Chinese app means your spied on and tracked and that information is sold widely. If you're not comfortable with Facebook tracking you, the Chinese apps do way more than that.
Then there are people "inconvenient" to the CCP. Belarus is just an amateur play. If you're inconvenient, expect harassment from China - usua
Re: (Score:2)
Which is a shame, because for most Americans, the Chinese government has no impact on them whatsoever, but American companies do.
This is incorrect. Yes, American companies obviously impact Americans, but Chinese government policies and actions do affect the world market and the US economy is very direct and significant ways. Jobs and markets have appeared and disappeared in the US. The prices and availability of goods in the US are tied to Chinese government actions. Garbage collection and recycling in the US were dramatically upended by Chinese government decisions. This list goes on.
Re: (Score:2)
Re: (Score:2)
who's using it? (Score:2)
Re: (Score:2)
I've never heard of it too, but it has 500+ millions installation on Android, insane... and 21'000 reviews (certainly most are fakes)
Re:who's using it? (Score:5, Informative)
UCWeb [wikipedia.org] has been around since '04 and has even in /.'s recent [slashdot.org] news [slashdot.org] stories. You've likely never heard of it, or only heard of it in passing as it is primarily a Chinese used browser (something like 2/3 market share) and it wasn't of note to most of us until Alibaba bought it in '14.
Re: (Score:2)
Grade A+ informative post... but I have no points with which to mod. Please accept my gratitude.
Re: (Score:2)
UC Browser is popular in Asia. In addition to China, it is widely used in India and Indonesia.
India banned it last year, but it is still widely used there.
Time to ban ALL user tracking (Score:2, Insightful)
Re: (Score:2)
Any company caught violating it should face massive fines and App Store takedown.
App store takedown is never going to happen as long as they pay the fees charged by the store. Or why else would Google keep known phishing apps in their Playstore?
No trust (Score:3)
Re:No trust (Score:5, Funny)
If you trust ANYBODY you're an idiot
I don't believe you.
like most browsers (Score:2)
Sounds like it works like most browsers, where you are the product. I'll bet Chrome sends more in private mode than you think, its not zero.
The real issue is that you can't trust any modern browser. As mush as I like Firefox, its hobbled since Chrome/Chromium is the new IE and no one tests with FF.
Why do these companies need to catalog our every move? Advertising worked well long before the internet, and still could.
Re: (Score:2)
Your Chrome history, bookmarks, passwords, credit cards, they are all stored and transfer magically through nothing.
Re: (Score:2)
Through nothing, because analytics and ads are nothing.
https://www.msn.com/en-us/news... [msn.com]
When Google does it, its just a bug. When Chinese Alibaba does it, its dirty communists. Right?
Google says that it won't "remember" your browsing history, but it still gets it. I know, I'm making this all up. Right?
https://www.forbes.com/sites/z... [forbes.com]
Where have I heard this M.O. before ? (Score:4, Insightful)
This is a feature (Score:4, Interesting)
color me surprised (Score:1)
"When compared to Google's own Chrome browser" (Score:4, Interesting)
Chrome doesn't need to rat you out to Google. The web sites already do it when they make your browser contact Google servers to load fonts, analytics, ads, script libraries...
Re: (Score:2)
^ This.
And this is a surprise... (Score:2)
Can someone give me some host files to block? (Score:2)
Thanks.
Re: (Score:2)
*.*
Re: (Score:2)
Re: (Score:2)
Is anyone really surprised? Also: Opera + VPN (Score:1)
Opera, a fine browser no doubt, was aquired by some Chinese entity some years ago.
Their built in VPN immediately became highly suspicious.
Make China Great Again. (Score:1)