A report published Monday by the University of Toronto's Citizen Lab reveals major security and privacy flaws with Tencent's QQ Browser for Windows and Android devices in China. The two versions of QQ Browser transmitted personal data — including nearby Wi-Fi access points, websites visited and a user's Android ID — with no real security measures. The security concerns remain even after Tencent claimed it addressed all the issues from the report.
The security flaws were discovered by Citizen Lab, a human rights research center that has a record of analyzing censorship in China and spyware attacks on journalists. In its analysis of Tencent's QQ Browser, the center discovered the app and desktop web browser transmitted identifiable data with little to no encryption, thus exposing users to potential attacks. The number of QQ Browser users is unknown, but Citizen Lab reported market penetration of around 48.3 percent for mobile browser users in China.
"Most troubling is the fact that users would generally be unaware of these risks — unaware that such data is being collected and transmitted, and potentially unaware that a properly crafted malicious software update attack could lead to malicious code being installed on their devices," Citizen Lab wrote in its report.
The Android and web versions of QQ Browser were quite susceptible to "man-in-the-middle" attacks. In this particular scenario, the QQ Browser sends a request to a website for a software update. That request has very poor encryption that a hacker could intercept to gain access to personal information or alter the original communication.
For the Android version, the request provided the QQ username that could be easily decrypted, the International Mobile Subscriber Identification number that's unique to each user, Wi-Fi MAC address and the full-page URL for sites visited.
After Citizen Lab notified Tencent of these issues, the company released an update for the Android version of QQ Browser March 2 and an update for the Windows version on or before March 14. Additional analysis following the updates reveals some security flaws that have yet to be patched.
Citizen Lab previously found similar security flaws in the other top browsers in China. Baidu Inc.'s Baidu Browser and Alibaba Group Holding Ltd.'s UC Browser also leaked personal data with little to no encryption, which could be used to censor potential dissidents or hackers, the Wall Street Journal reported.