Alibaba's Huge Browser Business Is Harvesting The 'Private' Web Activity Of Millions Of Android And iPhone Users

Security researcher Gabi Cirlig's findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they're in incognito mode or not, is sent to servers owned by UCWeb. From a report: Cirlig said IP addresses -- which could be used to get a user's rough location down to the town or neighborhood of the user -- were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it's not currently clear just what Alibaba and its subsidiary are doing with the data.

"This could easily fingerprint users and tie them back to their real personas," Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple's iOS, he didn't even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). "This kind of tracking is done on purpose without any regard for user privacy," Cirlig told Forbes. When compared to Google's own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he'd looked at other major browsers and found none did the same as UC Browser.

Re: Frosty Piss

[saloomy]

Itâ(TM)s a good thing the app stores vet their apps

Re:

[ArsenneLupin]

Itâ(TM)s a good thing the app stores vet their apps

At least they could pull spying or phishing apps after the fact, when brought to their attention. But even that is too much for them.

Re:

[Z00L00K]

And you now start to get upset that Alibaba also does what Google, Facebook, Amazon and Apple already are doing.

We definitely live in the world of Max Headroom. All we need now are blipverts, but on the other hand we got the 'rona.

Re:Frosty Piss

[AleRunner]

And you now start to get upset that Alibaba also does what Google, Facebook, Amazon and Apple already are doing.

I get the tradition of not reading the article and suff, but in the summary above it's clear that Google, Amazon and Apple are not actually doing this*. It's pretty much implicit in the headline too.

* if you use anything from Facebook, you got what you deserve, (Zuck: They "trust me" / Zuck: Dumb fucks)

Re:

[Z00L00K]

So then tell me why Google Maps asks you how your visit was to a certain place even though you have turned off all your tracking.

Re:

[Canberra1]

Historically, some AV products like AVG and Kaspersy did this. I suspect many 'Free' VPN's are also collection agencies.

I would be more surprised

[IWantMoreSpamPlease]

if something owned by the Chinese *didn't* spy on you or report back to the authorities.

Re:

[Anonymous Coward]

Thank you for the whataboutism. That is a pointless, and irrelevant argument. If you have evidence the US is doing it, by all means come to Slashdot and show that a browser is sending all data to .us addresses.

The problem about China is that the state has the final say of what happens in their corporations. Any project on Chinese soil has to be 51% owned by a domestic company. To visualize, it would be like every US company having a board of CIA/NSA/DHS/DEA people who get to review all company stuff, ha

Re:

[spun]

Yeah, gonna have to disagree that the fanatical authoritarian tyrants running China have no impact on us here in the US. They do.

Re:

[tlhIngan]

Yeah, gonna have to disagree that the fanatical authoritarian tyrants running China have no impact on us here in the US. They do.

In many ways. First, they have poor data privacy practices. Using a Chinese app means your spied on and tracked and that information is sold widely. If you're not comfortable with Facebook tracking you, the Chinese apps do way more than that.

Then there are people "inconvenient" to the CCP. Belarus is just an amateur play. If you're inconvenient, expect harassment from China - usua

Re:

[larryjoe]

Which is a shame, because for most Americans, the Chinese government has no impact on them whatsoever, but American companies do.

This is incorrect. Yes, American companies obviously impact Americans, but Chinese government policies and actions do affect the world market and the US economy is very direct and significant ways. Jobs and markets have appeared and disappeared in the US. The prices and availability of goods in the US are tied to Chinese government actions. Garbage collection and recycling in the US were dramatically upended by Chinese government decisions. This list goes on.

Re:

[arglebargle_xiv]

Beat me to it. Spying on users is the sole domain of Google, Microsoft, Fecebook, etc, all good respectable American companies. How dare foreigners get into the act!

Re:

[fermion]

I think the Chinese are just more obvious. I stopped using Chrome for incognito as we actually do not know how clever they are, but certainly their business is tracking. Edge and Safari we donâ(TM)t know what is going on which leaves Firefox as the least worst option.

who's using it?

[yababom]

I'd never heard of this browser before today... Who is using and why?

Re:

[Frederic54]

I've never heard of it too, but it has 500+ millions installation on Android, insane... and 21'000 reviews (certainly most are fakes)

Re:who's using it?

[aitikin]

UCWeb [wikipedia.org] has been around since '04 and has even in /.'s recent [slashdot.org] news [slashdot.org] stories. You've likely never heard of it, or only heard of it in passing as it is primarily a Chinese used browser (something like 2/3 market share) and it wasn't of note to most of us until Alibaba bought it in '14.

Re:

[eepok]

Grade A+ informative post... but I have no points with which to mod. Please accept my gratitude.

Re:

[ShanghaiBill]

UC Browser is popular in Asia. In addition to China, it is widely used in India and Indonesia.

India banned it last year, but it is still widely used there.

Time to ban ALL user tracking

[sixminuteabs]

Or make it OFF by default. Any company caught violating it should face massive fines and App Store takedown. We should not have to live under constant surveillance just because these companies canâ(TM)t make money in an honest way.

Re:

[ArsenneLupin]

Any company caught violating it should face massive fines and App Store takedown.

App store takedown is never going to happen as long as they pay the fees charged by the store. Or why else would Google keep known phishing apps in their Playstore?

No trust

[AndyKron]

If you trust ANYBODY you're an idiot

Re:No trust

[AleRunner]

If you trust ANYBODY you're an idiot

I don't believe you.

like most browsers

[awwshit]

Sounds like it works like most browsers, where you are the product. I'll bet Chrome sends more in private mode than you think, its not zero.

The real issue is that you can't trust any modern browser. As mush as I like Firefox, its hobbled since Chrome/Chromium is the new IE and no one tests with FF.

Why do these companies need to catalog our every move? Advertising worked well long before the internet, and still could.

Re:

[Gabest]

Your Chrome history, bookmarks, passwords, credit cards, they are all stored and transfer magically through nothing.

Re:

[awwshit]

Through nothing, because analytics and ads are nothing.
https://www.msn.com/en-us/news... [msn.com]

When Google does it, its just a bug. When Chinese Alibaba does it, its dirty communists. Right?

Google says that it won't "remember" your browsing history, but it still gets it. I know, I'm making this all up. Right?
https://www.forbes.com/sites/z... [forbes.com]

Where have I heard this M.O. before ?

[Big Bipper]

Oh yes, I remember. It sounds just like what Windows does, except to China instead of Redmond.

This is a feature

[JeffOwl]

The point of UC Browser is that it compresses the data stream reducing the mobile data usage. In order to do that it has to route the traffic through a server under control of the company.

color me surprised

[p51d007]

NOT!

"When compared to Google's own Chrome browser"

[TheNameOfNick]

Chrome doesn't need to rat you out to Google. The web sites already do it when they make your browser contact Google servers to load fonts, analytics, ads, script libraries...

Re:

[awwshit]

^ This.

And this is a surprise...

[QuietLagoon]

... Why?

Can someone give me some host files to block?

[sandbagger]

Thanks.

Re:

[freeze128]

Sure, Here:

*.*

Re:

[ArsenneLupin]

Not sure this changes anything. About a month ago, I fell victim to a phishing app installed through the playstore. Obviously, I reported it, however it's stil online.

Re:

[account_deleted]

Comment removed based on user account deletion

Is anyone really surprised? Also: Opera + VPN

[shm]

Opera, a fine browser no doubt, was aquired by some Chinese entity some years ago.

Their built in VPN immediately became highly suspicious.

Make China Great Again.

[HaAh]

Alibaba : We had cooperated with the NSA to Make China Great Again.