All web browsers have vulnerabilities, but one piece of Chinese software might be eligible for the title of most insecure browser ever.
Likely unbeknown to its users, QQ Browser has been transmitting identifying information—including web histories, search queries, and nearby WiFi networks—with poorly implemented or no cryptographic protection.
In a report published on Monday, researchers from Citizen Lab detailed a slew of vulnerabilities in the Android and Windows versions of the browser (QQ is also available on iOS and OSX, but they did not analyse these versions). The report notes that in 2013, QQ was the eighth most installed application in China for iOS and Android devices, and as of 2012, the app had some 16 million non-Chinese users.
"The application collects and transmits personally identifiable data points in a manner that leaves this data vulnerable to surveillance by third parties," report authors Jeffrey Knockel, Adam Senft, and Ron Deibert write. "Further, deficiencies in the software update process leave users vulnerable to having arbitrary code, such as a malicious spyware program, inserted by a third party and executed on their devices."
The researchers worry that users would be unaware of these risks.
According to Citizen Lab, the Android version of the QQ Browser app transmits a phone's unique IMEI and IMSI identifiers in an easy-to-decrypt form as well as the device's MAC address and the full URL of each page visited in the browser. When the Android version of QQ sends a request after visiting a web page, for example, data is encrypted with an RSA key of 128 bits. Normally, the researchers point out, it is recommended that RSA keys are at least 2048 bits. Because of the small key size, anyone monitoring the traffic of a user—perhaps a hacker in a cafe on the same network or a nation state intercepting communications—could easily decrypt the data.
The Windows version of the browser has similar problems, but in this case web browsing histories are leaked totally unencrypted. It also takes other pieces of identifying information, such as the computer's hard drive serial and model number, and transmits it all using an MD5 hash, a notoriously weak hashing algorithm.
QQ isn't the first Chinese browser to have serious vulnerabilities
The researchers also found issues with how each version of the browser handled software updates, which could allow an attacker to run arbitrary code on a target's machine or install rogue apps.
"While in our testing the program we overwrote QQ Browser with a benign program, a malicious attacker could use this attack to install hidden spyware or malware," the researchers write, referring to a test on the Windows browser. On Android, the researchers were able to install a new app with a host of different access permissions.
QQ isn't the first Chinese browser to have serious vulnerabilities. Previous Citizen Lab research has found similar issues in Baidu Browser and UC Browser, although it's unclear whether they are related.
Citizen Lab informed Tencent, the company behind QQ, of the issues in early February, and Tencent has since released updated versions of both the Android and Windows browsers. Citizen Lab claims, however, that not all of the vulnerabilities have been addressed.
The researchers add that Tencent did not respond to a series of questions related to how these vulnerabilities came about, as well as whether the company shares data with third parties.