CINXE.COM

<!doctype html>     <html lang="en-US" prefix="og: https://ogp.me/ns#"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab</title> <meta name="HandheldFriendly" content="True"> <meta name="MobileOptimized" content="320"> <meta name="viewport" content="width=device-width, initial-scale=1"/> <link rel="apple-touch-icon" sizes="57x57" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-57x57.png"> <link rel="apple-touch-icon" sizes="60x60" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-60x60.png"> <link rel="apple-touch-icon" sizes="72x72" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-72x72.png"> <link rel="apple-touch-icon" sizes="76x76" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-76x76.png"> <link rel="apple-touch-icon" sizes="114x114" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-114x114.png"> <link rel="apple-touch-icon" sizes="120x120" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-120x120.png"> <link rel="apple-touch-icon" sizes="144x144" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-144x144.png"> <link rel="apple-touch-icon" sizes="152x152" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-152x152.png"> <link rel="apple-touch-icon" sizes="180x180" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-180x180.png"> <link rel="icon" type="image/png" sizes="192x192" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/android-icon-192x192.png"> <link rel="icon" type="image/png" sizes="32x32" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="96x96" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="16x16" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/favicon-16x16.png"> <link rel="manifest" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/manifest.json"> <meta name="msapplication-TileColor" content="#ffffff"> <meta name="msapplication-TileImage" content="/ms-icon-144x144.png"> <meta name="theme-color" content="#ffffff">  <link rel="pingback" href="https://citizenlab.ca/xmlrpc.php"> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>  <meta name="description" content="This report describes privacy and security issues with the Windows and Android versions of QQ Browser. Our research shows that both versions of the application transmit personally identifiable data without encryption or with easily decrypted encryption, and do not adequately protect the software update process."/> <meta name="robots" content="follow, index, max-snippet:-1, max-video-preview:-1, max-image-preview:large"/> <link rel="canonical" href="https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab" /> <meta property="og:description" content="This report describes privacy and security issues with the Windows and Android versions of QQ Browser. Our research shows that both versions of the application transmit personally identifiable data without encryption or with easily decrypted encryption, and do not adequately protect the software update process." /> <meta property="og:url" content="https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/" /> <meta property="og:site_name" content="The Citizen Lab" /> <meta property="article:tag" content="Asia Chats" /> <meta property="article:tag" content="China" /> <meta property="article:tag" content="QQ Browser" /> <meta property="article:tag" content="Tencent" /> <meta property="article:section" content="App Privacy and Controls" /> <meta property="og:updated_time" content="2024-11-21T22:02:36-05:00" /> <meta property="og:image" content="https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png" /> <meta property="og:image:secure_url" content="https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png" /> <meta property="og:image:width" content="462" /> <meta property="og:image:height" content="312" /> <meta property="og:image:alt" content="Figure 3: Example man-in-the-middle attack on QQ Browser’s self-updater by first injecting a vulnerable Web installer and then injecting our arbitrary program. A benign program that displays “Oh Hai There” was used as the payload, but any arbitrary program such as spyware or malware could be injected." /> <meta property="og:image:type" content="image/png" /> <meta property="article:published_time" content="2016-03-28T16:47:08-04:00" /> <meta property="article:modified_time" content="2024-11-21T22:02:36-05:00" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:title" content="WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab" /> <meta name="twitter:description" content="This report describes privacy and security issues with the Windows and Android versions of QQ Browser. Our research shows that both versions of the application transmit personally identifiable data without encryption or with easily decrypted encryption, and do not adequately protect the software update process." /> <meta name="twitter:site" content="@citizenlab" /> <meta name="twitter:creator" content="@citizenlab" /> <meta name="twitter:image" content="https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png" /> <meta name="twitter:label1" content="Written by" /> <meta name="twitter:data1" content="Jeffrey Knockel" /> <meta name="twitter:label2" content="Time to read" /> <meta name="twitter:data2" content="34 minutes" /> <script type="application/ld+json" class="rank-math-schema-pro">{"@context":"https://schema.org","@graph":[{"@type":["CollegeOrUniversity","Organization"],"@id":"https://citizenlab.ca/#organization","name":"The Citizen Lab","url":"https://citizenlab.ca","sameAs":["https://twitter.com/citizenlab"],"logo":{"@type":"ImageObject","@id":"https://citizenlab.ca/#logo","url":"https://citizenlab.ca/wp-content/uploads/2019/02/citlablogo.png","contentUrl":"https://citizenlab.ca/wp-content/uploads/2019/02/citlablogo.png","caption":"The Citizen Lab","inLanguage":"en-US","width":"7824","height":"5216"}},{"@type":"WebSite","@id":"https://citizenlab.ca/#website","url":"https://citizenlab.ca","name":"The Citizen Lab","publisher":{"@id":"https://citizenlab.ca/#organization"},"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png","url":"https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png","width":"462","height":"312","caption":"Figure 3: Example man-in-the-middle attack on QQ Browser\u2019s self-updater by first injecting a vulnerable Web installer and then injecting our arbitrary program. A benign program that displays \u201cOh Hai There\u201d was used as the payload, but any arbitrary program such as spyware or malware could be injected.","inLanguage":"en-US"},{"@type":"WebPage","@id":"https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/#webpage","url":"https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/","name":"WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab","datePublished":"2016-03-28T16:47:08-04:00","dateModified":"2024-11-21T22:02:36-05:00","isPartOf":{"@id":"https://citizenlab.ca/#website"},"primaryImageOfPage":{"@id":"https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png"},"inLanguage":"en-US"},{"@type":"Person","@id":"https://citizenlab.ca/author/jknockel/","name":"Jeffrey Knockel","url":"https://citizenlab.ca/author/jknockel/","image":{"@type":"ImageObject","@id":"https://secure.gravatar.com/avatar/d6720ef83a59d9c6dd374a476200a3ce?s=96&d=mm&r=g","url":"https://secure.gravatar.com/avatar/d6720ef83a59d9c6dd374a476200a3ce?s=96&d=mm&r=g","caption":"Jeffrey Knockel","inLanguage":"en-US"},"worksFor":{"@id":"https://citizenlab.ca/#organization"}},{"@type":"BlogPosting","headline":"WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab","keywords":"qq browser","datePublished":"2016-03-28T16:47:08-04:00","dateModified":"2024-11-21T22:02:36-05:00","author":{"@id":"https://citizenlab.ca/author/jknockel/","name":"Jeffrey Knockel"},"publisher":{"@id":"https://citizenlab.ca/#organization"},"description":"This report describes privacy and security issues with the Windows and Android versions of QQ Browser. Our research shows that both versions of the application transmit personally identifiable data without encryption or with easily decrypted encryption, and do not adequately protect the software update process.","name":"WUP! There It Is: Privacy and Security Issues in QQ Browser - The Citizen Lab","@id":"https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/#richSnippet","isPartOf":{"@id":"https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/#webpage"},"image":{"@id":"https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png"},"inLanguage":"en-US","mainEntityOfPage":{"@id":"https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/#webpage"}}]}</script>  <link rel="alternate" type="application/rss+xml" title="The Citizen Lab » Feed" href="https://citizenlab.ca/feed/" /> <link rel="alternate" type="application/rss+xml" title="The Citizen Lab » Comments Feed" href="https://citizenlab.ca/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="The Citizen Lab » WUP! There It Is: Privacy and Security Issues in QQ Browser Comments Feed" href="https://citizenlab.ca/2016/03/privacy-security-issues-qq-browser/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/citizenlab.ca\/wp-includes\/js\/wp-emoji-release.min.js"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://citizenlab.ca/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css' type='text/css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css' type='text/css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css' type='text/css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='rank-math-toc-block-style-inline-css' type='text/css'> .wp-block-rank-math-toc-block nav ol{counter-reset:item}.wp-block-rank-math-toc-block nav ol li{display:block}.wp-block-rank-math-toc-block nav ol li:before{content:counters(item, ".") ". ";counter-increment:item} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bigfoot-number-css' href='https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot-number.css' type='text/css' media='all' /> <link rel='stylesheet' id='__EPYT__style-css' href='https://citizenlab.ca/wp-content/plugins/youtube-embed-plus/styles/ytprefs.min.css' type='text/css' media='all' /> <style id='__EPYT__style-inline-css' type='text/css'> .epyt-gallery-thumb { width: 33.333%; } </style> <link rel='stylesheet' id='bones-base-stylesheet-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/css/tachyons.css' type='text/css' media='all' /> <link rel='stylesheet' id='bones-stylesheet-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/css/style.css' type='text/css' media='all' />  <link rel='stylesheet' id='fontawesome-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/fontawesome/css/fontawesome.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='fontawesome-brands-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/fontawesome/css/brands.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='fontawesome-solid-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/fontawesome/css/solid.min.css' type='text/css' media='all' /> <script type="text/javascript" src="https://citizenlab.ca/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script> <script type="text/javascript" id="__ytprefs__-js-extra"> /* <![CDATA[ */ var _EPYT_ = {"ajaxurl":"https:\/\/citizenlab.ca\/wp-admin\/admin-ajax.php","security":"75e3448dae","gallery_scrolloffset":"20","eppathtoscripts":"https:\/\/citizenlab.ca\/wp-content\/plugins\/youtube-embed-plus\/scripts\/","eppath":"https:\/\/citizenlab.ca\/wp-content\/plugins\/youtube-embed-plus\/","epresponsiveselector":"[\"iframe.__youtube_prefs__\",\"iframe[src*='youtube.com']\",\"iframe[src*='youtube-nocookie.com']\",\"iframe[data-ep-src*='youtube.com']\",\"iframe[data-ep-src*='youtube-nocookie.com']\",\"iframe[data-ep-gallerysrc*='youtube.com']\"]","epdovol":"1","version":"14.2.1.2","evselector":"iframe.__youtube_prefs__[src], iframe[src*=\"youtube.com\/embed\/\"], iframe[src*=\"youtube-nocookie.com\/embed\/\"]","ajax_compat":"","maxres_facade":"eager","ytapi_load":"light","pause_others":"","stopMobileBuffer":"1","facade_mode":"","not_live_on_channel":"","vi_active":"","vi_js_posttypes":[]}; /* ]]> */ </script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js" id="__ytprefs__-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/js/libs/modernizr.custom.min.js" id="bones-modernizr-js"></script> <link rel='shortlink' href='https://citizenlab.ca/?p=27326' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://citizenlab.ca/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fcitizenlab.ca%2F2016%2F03%2Fprivacy-security-issues-qq-browser%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://citizenlab.ca/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fcitizenlab.ca%2F2016%2F03%2Fprivacy-security-issues-qq-browser%2F&format=xml" /> <script type="text/javascript" id="google_gtagjs" src="https://www.googletagmanager.com/gtag/js?id=G-RCDQQLPVF0" async="async"></script> <script type="text/javascript" id="google_gtagjs-inline"> /* <![CDATA[ */ window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}gtag('js', new Date());gtag('config', 'G-RCDQQLPVF0', {'anonymize_ip': true} ); /* ]]> */ </script> </head> <body itemscope itemtype="http://schema.org/WebPage">  <header id="header" role="banner" itemscope itemtype="http://schema.org/WPHeader"> <div id="header__inner" class="flex-ns items-center justify-between"> <div class="v-mid flex justify-between items-center"> <div class="mr-auto"> <a href="https://citizenlab.ca" rel="nofollow" id="logo" itemscope itemtype="http://schema.org/Organization"> <img src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/CL-logo-3-headed.png" alt="The Citizen Lab"/> </a> <img src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/MunkSchool-WHT.png" class="munk-logo" alt="Munk School of Global Affairs & Public Policy | University of Toronto" /> </div>  <a href="#main-menu" id="homepage" aria-label="Open main menu"> <span class="fa-solid fa-bars-staggered white dib" title="Open Menu"></span> <span class="screen-reader-text">Open main menu</span> </a> </div>  <a class="skip-main" href="#main">Skip to main content</a> <div class="flex-ns main-menu" id="main-menu"> <a href="#homepage" id="homepage" class="menu-close" aria-label="Close main menu"> <span class="fa-solid fa-x white dib" title="Close Menu"></span> <span class="screen-reader-text">Close main menu</span> </a> <nav id="nav-main" role="navigation" itemscope itemtype="http://schema.org/SiteNavigationElement" class="tc tl-l"> <ul id="menu-top-menu" class="list ma0 mt2 mt0-ns pa0 b dib-ns"><li id="menu-item-29705" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-has-children menu-item-29705 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/" class="white no-underline h-underline pr2 ml0">Research</a> <ul class="sub-menu"> <li id="menu-item-72358" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72358 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/targeted-threats/" class="white no-underline h-underline pr2">Targeted Threats</a></li> <li id="menu-item-72357" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72357 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/free-expression-online/" class="white no-underline h-underline pr2 mr0">Free Expression Online</a></li> <li id="menu-item-72359" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72359 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/transparency/" class="white no-underline h-underline pr2">Transparency and Accountability</a></li> <li id="menu-item-72360" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-72360 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/app-privacy-and-security/" class="white no-underline h-underline pr2">App Privacy and Controls</a></li> <li id="menu-item-72362" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72362 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/global-research-network/" class="white no-underline h-underline pr2">Global Research Network</a></li> <li id="menu-item-72385" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72385 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/tools-resources/" class="white no-underline h-underline pr2">Tools & Resources</a></li> <li id="menu-item-72361" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72361 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/publications/" class="white no-underline h-underline pr2">Publications</a></li> </ul> </li> <li id="menu-item-29706" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-has-children menu-item-29706 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/" class="white no-underline h-underline pr2">News</a> <ul class="sub-menu"> <li id="menu-item-72363" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72363 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/mentions/" class="white no-underline h-underline pr2">In the Media</a></li> <li id="menu-item-72364" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72364 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/events/" class="white no-underline h-underline pr2">Events</a></li> <li id="menu-item-72365" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72365 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/opportunities/" class="white no-underline h-underline pr2">Opportunities</a></li> </ul> </li> <li id="menu-item-29707" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-29707 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/about/" class="white no-underline h-underline pr2">About</a> <ul class="sub-menu"> <li id="menu-item-72367" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72367 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/about/" class="white no-underline h-underline pr2">About The Citizen Lab</a></li> <li id="menu-item-72368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72368 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/media/" class="white no-underline h-underline pr2">Media Resources</a></li> <li id="menu-item-72369" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72369 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/people/" class="white no-underline h-underline pr2">People</a></li> <li id="menu-item-72370" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72370 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/teaching/" class="white no-underline h-underline pr2">Teaching</a></li> <li id="menu-item-72387" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-72387 dib-ns f5-l f4 ttu pv2 "><a href="https://engage.utoronto.ca/site/SPageServer?pagename=donate#/fund/847" class="white no-underline h-underline pr2">Donate</a></li> <li id="menu-item-74537" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-74537 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/disclosure-of-security-vulnerabilities/" class="white no-underline h-underline pr2">Security Vulnerabilities</a></li> </ul> </li> </ul> </nav>  <div class="flex items-start justify-center searchbar"> <form class="db-l ma0 pa0 b0 lh0 f5" role="search" method="get" id="menuSearchform" action="https://citizenlab.ca/"> <div id="menuSearchContainer" class="ml3 dib w0 transition-width overflow-hidden"> <input type="search" id="menuSearch" name="s" value="" class="b--none ma0 pa1 w-100" placeholder="Search"/> </div>  </form> <div id="menuSearchButton" class="db-l ml3 pointer items-end"> <span class="fa-solid fa-magnifying-glass white f5" aria-label="Search" title="Search"></span> </div> </div>  </div>  </div>  </header>  <div id="container" class="pa3 pv4-l ph5-l">  <main id="main" role="main" itemscope itemprop="mainContentOfPage" itemtype="http://schema.org/Blog"> <section id="content" class="container"> <article id="post-27326" dir="ltr" 27326role="article" itemscope itemprop="blogPost" itemtype="http://schema.org/BlogPosting" class="lh-copy"> <header> <span class="f6 mt0" dir="ltr"><a href="https://citizenlab.ca/category/research/" class="breadcrumbs"><a href="https://citizenlab.ca/category/research/" class="breadcrumbs">Research</a><span class="fa-solid fa-chevron-right mh2" aria-hidden="true"></span></a><a href="https://citizenlab.ca/category/research/app-privacy-and-security/" class="breadcrumbs">App Privacy and Controls</a></span> <h1 itemprop="headline" rel="bookmark" class="ma0 mt5 lh-title">  <span class="db f2 f1-ns black lh-solid no-hyphen">WUP! There It Is</span>  <span class="db f4 f2-ns mid-gray mt2 lh-title oswald-regular mb2-ns no-hyphen"> Privacy and Security Issues in QQ Browser</span> </h1> <div dir="ltr" class="mt2"> <div class="f5 mr4 b dark-gray dib">By <a href="https://citizenlab.ca/author/jknockel/" title="Posts by Jeffrey Knockel" class="author url fn" rel="author">Jeffrey Knockel</a>, <a href="https://citizenlab.ca/author/adamsenft/" title="Posts by Adam Senft" class="author url fn" rel="author">Adam Senft</a>, and <a href="https://citizenlab.ca/author/profd/" title="Posts by Ron Deibert" class="author url fn" rel="author">Ron Deibert</a></div> <time class="dark-gray dib f5 mr4" datetime="2016-03-28" itemprop="datePublished">March 28, 2016</time>  </div>  <div> <a class="cta-button-outline" href="https://tspace.library.utoronto.ca/bitstream/1807/97228/1/Report%2372--qqbrower.pdf" title="Download this report">Download this report</a> </div> </header> <section itemprop="articleBody" class="article-body mb4 mt4 pt2 bt b--light-gray"> <p><span style="font-weight: 400"><a href="https://citizenlab.ca/2016/03/qq%E6%B5%8F%E8%A7%88%E5%99%A8%E5%AD%98%E5%9C%A8%E7%9A%84%E9%9A%90%E7%A7%81%E4%B8%8E%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3/" class="pointer">QQ浏览器存在的隐私与安全隐患</a></span></p> <h2 class="lh-solid mb3">Key findings</h2> <ul class="mt0"> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">Both Windows (v9.2.5478) and Android (v6.3.0.1920) versions of web browser QQ Browser transmit personal user data to QQ servers without encryption or with easily decryptable encryption, and are vulnerable to arbitrary code execution during software updates.</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">The Android version of QQ Browser transmits personally identifiable data, including a user’s IMEI, IMSI, nearby WiFi access points, search queries entered into the address bar, URLs of pages visited, and Android ID, without encryption or with easily decryptable encryption.</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">The Windows version of QQ Browser transmits personally identifiable data, including the URLs of visited websites, hard drive serial number, MAC address, and machine hostname, without encryption or with easily decryptable encryption.</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">The software updating processes of both the Android and Windows version of QQ Browser have vulnerabilities that leave them susceptible to an attacker executing arbitrary code.</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">Please see the “<a href="#analysis" class="pointer">Update: Analysis of updated versions of QQ Browser</a>” section at the end of this report for our analysis of the latest versions (Windows version 9.3.6872 and Android version 6.4.2) released prior to publication, following our disclosure to the vender.</span></li> </ul> <h2 class="lh-solid mb3">Introduction</h2> <p class="mt0"><span style="font-weight: 400">QQ Browser (QQ浏览器) is a free web browser for the Android, Windows, Mac, and iOS platforms, developed by Chinese Internet giant Tencent. The application offers a number of features beyond those offered by built-in browsers, such as tabbed windows and integration with other chat platforms. </span></p> <p><span style="font-weight: 400">This report provides a detailed analysis of how the Windows and Android versions of QQ Browser transmit user data during their operation. This analysis reveals that both versions of QQ Browser transmit a number of personally identifiable user data points either with no encryption or with easily decryptable encryption. We use the phrase “easily decryptable encryption” to refer to the improper implementation of encryption algorithms. For a full discussion, see the “Easily decryptable’ encryption” textbox in our report </span><a href="https://citizenlab.ca/2016/02/privacy-security-issues-baidu-browser/" class="pointer"><span style="font-weight: 400">Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser</span></a><span style="font-weight: 400">.</span></p> <p><span style="font-weight: 400">This insecure data transmission means that any in-path actor (such as a user’s ISP, a coffee shop WiFi network, or a malicious actor with network visibility across any of these type of access points) would be able to acquire this personal data by collecting traffic and performing any necessary decryption. </span></p> <p><span style="font-weight: 400">In addition to this insecure data transmission, both tested versions of the application perform software updates in a manner that is vulnerable to execution of arbitrary code by an attacker. This means that a malicious actor would be able to spoof a software update in order to install malicious code on a user’s device. </span></p> <p><span style="font-weight: 400">This report is a continuation of Citizen Lab research on the </span><a href="https://citizenlab.ca/tag/asia-chats/" class="pointer"><span style="font-weight: 400">privacy and security of mobile applications in Asia</span></a><span style="font-weight: 400">. Our previous work includes reports that identified similar concerns with mobile browsers </span><a href="https://citizenlab.ca/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/" class="pointer"><span style="font-weight: 400">UC Browser</span></a><span style="font-weight: 400"> and </span><a href="https://citizenlab.ca/2016/02/privacy-security-issues-baidu-browser/" class="pointer"><span style="font-weight: 400">Baidu Browser</span></a><span style="font-weight: 400">, which were both found to transmit sensitive user information with either no encryption or easily decryptable encryption. The security issues discovered in UC Browser were also identified in documents leaked by Edward Snowden that indicated the </span><a href="https://en.wikipedia.org/wiki/Five_Eyes" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">Five Eyes intelligence alliance</span></a><span style="font-weight: 400"> (NSA, GCHQ, CSE, ASD, and GCSB) had used these vulnerabilities as </span><a href="http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">a means of identifying and tracking users</span></a><span style="font-weight: 400">. We have also published a primer on mobile security and privacy, entitled </span><a href="https://citizenlab.ca/2015/05/the-many-identifiers-in-our-pocket-a-primer-on-mobile-privacy-and-security/" class="pointer"><span style="font-weight: 400">The Many Identifiers in Our Pockets</span></a><span style="font-weight: 400">, which provides further background on the types of personal data commonly collected and transmitted by mobile devices. </span></p> <p><span style="font-weight: 400">In addition, we have conducted research into </span><a href="https://citizenlab.ca/2013/07/china-chats/" class="pointer"><span style="font-weight: 400">keyword censorship and surveillance in TOM-Skype and keyword censorship in messaging platform Sina UC</span></a><span style="font-weight: 400">, as well as a comparative analysis of </span><a href="https://citizenlab.ca/2013/11/asia-chats-investigating-regionally-based-keyword-censorship-line/" class="pointer"><span style="font-weight: 400">mobile chat applications popular in Asia</span></a><span style="font-weight: 400">, including WeChat, LINE and KakaoTalk. We have also examined </span><a href="https://citizenlab.ca/2015/07/tracking-censorship-on-wechat-public-accounts-platform/" class="pointer"><span style="font-weight: 400">censorship practices in Tencent’s other flagship application, WeChat</span></a><span style="font-weight: 400">. The overall aims of this research are to employ a mixed methods approach, including reverse engineering and other technical analysis methods, to better inform users about the security and privacy risks of the applications they use, and, where relevant, to engage the companies who produce these applications in a process of responsible disclosure to mitigate risks to users.</span></p> <p><span style="font-weight: 400">On March 17, 2016 we sent detailed questions to Tencent inquiring about the possible reasons for the collection and insecure transmission of user data to QQ servers. Those questions can be found </span><a href="https://citizenlab.ca/wp-content/uploads/2016/03/TencentLetter.pdf" class="pointer"><span style="font-weight: 400">here</span></a><span style="font-weight: 400">. As of the date of publication, we have not received a reply. At the end of the report, we discuss several possible underlying causes for the strikingly similar issues we found in the three web browsers produced by China-based companies that we have examined.</span></p> <h2 class="lh-solid mb3">QQ Browser Background</h2> <p class="mt0"><a href="http://browser.qq.com/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">QQ Browser</span></a><span style="font-weight: 400"> is a web browser for the Android, Windows, OS X, and iOS platforms, developed by Tencent. The Android version of QQ Browser was </span><a href="https://www.techinasia.com/qq-browser-getjar" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">first released outside of China</span></a><span style="font-weight: 400"> in November 2011, and a version for the OS X platform</span><a href="http://browser.qq.com/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400"> was released in March 2012</span></a><span style="font-weight: 400">. Alongside competitors such as UC Browser and Baidu Browser, QQ Browser is one of a number of third-party mobile browsers which are </span><a href="https://www.techinasia.com/mobile-browsers-dominate-asia-smartphones" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">particularly popular in Asia</span></a><span style="font-weight: 400">. QQ Browser offers a number of features tailored for mobile users, such as </span><a href="https://www.techinasia.com/qq-browser-getjar" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">image compression to conserve data usage</span></a><span style="font-weight: 400">. </span></p> <p><span style="font-weight: 400">The app has been very popular, particularly in China, where in January 2013 it was the </span><a href="https://www.techinasia.com/most-popular-smartphone-apps-china-2013" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">eighth most-installed application</span></a><span style="font-weight: 400"> in both the iOS and Android categories. By December 2015, the browser was estimated to have a </span><a href="http://www.chinainternetwatch.com/16549/mobile-browser-market-q3-2015/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">penetration rate among Chinese mobile browser users of 48.3%</span></a><span style="font-weight: 400">. Recent statistics for usage outside of China are difficult to come by, but the application had </span><a href="https://www.techinasia.com/qq-browser-international-users" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">16 million non-Chinese users in 2012</span></a><span style="font-weight: 400">, with the vast majority based in other countries in Asia.</span></p> <p><span style="font-weight: 400">Tencent is one of China’s largest technology companies, with </span><a href="http://www.tencent.com/en-us/content/at/2016/attachments/20160317.pdf" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">2015 revenues exceeding 102 billion RMB (USD$15.8b)</span></a><span style="font-weight: 400"> and an </span><a href="http://www.reuters.com/article/us-tencent-valuation-idUSKBN0N40WN20150413" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">April 2015 market valuation of USD$206 billion</span></a><span style="font-weight: 400">. Amongst its many online offerings, the company has developed two of the world’s most popular instant messaging platforms: WeChat (known in China as 微信, or </span><i><span style="font-weight: 400">Weixin</span></i><span style="font-weight: 400">) and QQ. Tencent reported that </span><a href="http://www.tencent.com/en-us/content/at/2016/attachments/20160317.pdf" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">QQ had 853 million monthly active users (MAUs) in 2015, while WeChat/Weixin has 640 million MAUs</span></a><span style="font-weight: 400"> during the same period. </span></p> <p><span style="font-weight: 400">Tencent’s messaging applications have been the focus of controversy in the past, with China-based dissidents expressing concern that their </span><a href="https://www.theguardian.com/world/2012/dec/07/wechat-chinese-social-media-app" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">WeChat communications may have been monitored by Chinese authorities</span></a><span style="font-weight: 400">. In response, </span><a href="http://www.scmp.com/comment/blogs/article/1083025/hu-jia-explains-why-mobile-apps-make-activism-spooky" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">Tencent stated</span></a><span style="font-weight: 400">, “We have taken user data protection seriously in our product development and daily operations, and at the same time, like other international peers, we comply with relevant laws in the countries where we have operations.” </span></p> <p><span style="font-weight: 400">Like many companies, Tencent has both a Terms of Service and Privacy Policy that describe the types of user data collected by their applications and services and the conditions under which that data can be shared. The </span><a href="http://www.tencent.com/en-us/zc/privacypolicy.shtml" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">English-language version of the Privacy Policy</span></a><span style="font-weight: 400"> states that “We use a variety of security technologies and procedures for the purpose of preventing loss, misuse, unauthorised access or disclosure of Information. In some of our services, we will use encryption technology (such as SSL) to protect certain sensitive Information provided by you to us.” </span><br> <span style="font-weight: 400"><br> In addition, the </span><a href="http://www.tencent.com/en-us/zc/privacypolicy.shtml" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">Privacy Policy</span></a><span style="font-weight: 400"> states that “[y]ou agree that we or our affiliate companies may be required to retain, preserve or disclose your Personal Information: (i) in order to comply with applicable laws or regulations; (ii) in order to comply with a court order, subpoena or other legal process; (iii) in response to a request by a government authority, law enforcement agency or similar body (whether situated in your jurisdiction or elsewhere); or (iv) where we believe it is reasonably necessary to comply with applicable laws or regulations.”</span></p> <h2 class="lh-solid mb3">Responsible Disclosure & Notification</h2> <p class="mt0"><span style="font-weight: 400">Tencent operates a </span><a href="http://en.security.tencent.com/#/index" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">Security Response Center</span></a><span style="font-weight: 400">, which describes the process for submitting security vulnerabilities, and the types of vulnerabilities that are considered in scope. On February 5, 2016, we used this site to submit a security vulnerability report to Tencent. We indicated that we would publish our report no sooner than 45 days after notification, in line with </span><a href="https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">international standards on vulnerability disclosure</span></a><span style="font-weight: 400">. </span></p> <p><span style="font-weight: 400">On or before March 14, 2016, Tencent released version 9.3.6872 of the Windows version of QQ Browser. On March 2, 2016, Tencent released version 6.4.2.2075 of the Android version of the application. We performed an analysis of both updated versions to determine if the issues we identified had been resolved. The results of that analysis are described in the “Update: Analysis of updated versions of QQ Browser” section at the end of this report.</span></p> <p><span style="font-weight: 400">We have documented all correspondence with Tencent related to these security issues in an Appendix at the end of this report.</span></p> <h2 class="lh-solid mb3">Technical Analysis</h2> <p class="mt0"><span style="font-weight: 400">We analyzed version 6.3.0.1920 of the Android version and version 9.2.5478 of the Windows version of QQ browser using a number of tools. We used tcpdump and Wireshark to capture and analyze network traffic, and we used machine code and bytecode disassemblers, decompilers and debuggers, including JD, JADX and IDA, to analyze program behaviour. </span></p> <p><span style="font-weight: 400">We found the browsers communicate back to their servers using a common mechanism that leaks different kinds of personal information, and we found them to have multiple security vulnerabilities in their self-updating processes.</span></p> <p><span style="font-weight: 400">Our technical analysis is split into three parts. The first part describes a basic structure used by both analyzed versions of QQ Browser to transmit data to QQ servers. The second part contains our analysis of the personal user data transmitted, as well as the software update process, for the Android version of the application. The third part describes our analysis of the same features in the Windows version of the application.</span></p> <h3 class="lh-solid mb3">Part 1: QQ Browser Data Transmission</h3> <p class="mt0"><span style="font-weight: 400">Both the Android and Windows QQ browsers we analyzed communicate with QQ’s servers using something their software refers to internally as a </span><i><span style="font-weight: 400">WUP request</span></i><span style="font-weight: 400">. </span></p> <h4 class="lh-solid mb3">WUP Requests</h4> <p class="mt0"><span style="font-weight: 400">A WUP request is a binary format that can contain different kinds of values, including integers, floating point numbers, lists, strings, and recursive structures. These requests are sometimes encrypted before being embedded into the body of an HTTP POST request that is sent to its destined URL. We wrote python scripts to decrypt and parse these requests into a human-readable format that are available </span><a href="https://www.cs.unm.edu/~jeffk/qq-browser/qq-crypt.tar.gz" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">here</span></a><span style="font-weight: 400">. This code also contains all other scripts required to decrypt data that we discuss in this report.</span></p> <h4 class="lh-solid mb3">Q-GUID, Q-UA, and Q-UA2 Fields</h4> <p class="mt0"><span style="font-weight: 400">Q-GUID, Q-UA, and Q-UA2 are the names of fields that appear in the HTTP headers of WUP requests. However, in our description of different WUP requests below, we also use these terms to refer to instances when their respective values additionally appear in the payloads of WUP requests. In the HTTP header, these fields always appear without encryption, although when they appear in WUP requests their format may vary.</span></p> <p><span style="font-weight: 400">The Q-GUID field is populated by a value requested from QQ’s servers via a WUP request at initial startup, and after it is received, it is retained by the browser and included without encryption as an HTTP header in most subsequent requests. It is also included in the payloads of many WUP requests in different ways. An example Q-GUID is</span></p> <pre style="text-align: center"><span style="font-weight: 400">caed22d728efa6127d53bc0412f888cb</span></pre> <p><span style="font-weight: 400">GUID likely stands for “globally unique identifier,” a kind of 128-bit number used in software that is often generated randomly.</span></p> <p><span style="font-weight: 400">The Q-UA and Q-UA2 values include hard-coded information about the version of QQ browser installed and the type of hardware on which it is installed. Although UA likely stands for “user agent” and contains similar information to an HTTP user agent string, its format is distinct from the user agent HTTP field also included by QQ browser in HTTP headers.</span></p> <h3 class="lh-solid mb3">Part 2: Analysis of QQ Browser – Android Version</h3> <p class="mt0"><span style="font-weight: 400">We analyzed version 6.3.0.1920 of QQ browser for Android, which we downloaded from </span><a href="http://mb.qq.com/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://mb.qq.com/</span></a><span style="font-weight: 400">.</span><span style="font-weight: 400"><sup><a href="#1" class="pointer">1</a></sup> We found that after launching and on certain events, such as viewing a page or checking for software updates, the browser sends WUP requests to </span><a href="http://wup.imtt.qq.com:8080/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://wup.imtt.qq.com:8080/</span></a><span style="font-weight: 400">. When encrypted, these requests are encrypted according to the scheme described below.</span></p> <p><span style="font-weight: 400">For each encrypted WUP request, an AES key is generated according to the following Java code:</span></p> <pre>int i = 10000000 + new Random().nextInt(89999999); int j = 10000000 + new Random().nextInt(89999999); return (String.valueOf(i) + String.valueOf(j)).getBytes();</pre> <p><span style="font-weight: 400">Thus, the key is a 128-bit key consisting of 16 ASCII digits. Moreover, the first and ninth bytes can never be zero and neither the first eight nor the last eight bytes can be all nines, and so the keyspace, instead of normally being size 2<sup>128</sup>, is only size 89999999<sup>2</sup> < 2<sup>53</sup>.</span></p> <p><span style="font-weight: 400">This key is then used to encrypt the WUP request with AES+ECB. The AES key is then encrypted with an 128-bit RSA public key with modulus 245406417573740884710047745869965023463 and exponent 65537. The encrypted AES key is then included in the HTTP request in the </span><i><span style="font-weight: 400">qbkey</span></i><span style="font-weight: 400"> HTTP header.</span></p> <p><span style="font-weight: 400">RSA is an asymmetric encryption algorithm, meaning that a different, private key is used for decryption, so the above RSA key cannot be immediately used by someone monitoring traffic to decrypt the AES key and thus the WUP request itself. However, the security of RSA is dependant on the difficulty of the prime factorization of the encryption key’s modulus. Once factored, the decryption key can be easily recovered. The above RSA public key is only 128 bits, which is small enough to be easily factored. (RSA keys are </span><a href="http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">traditionally recommended to be at least 2048 bits</span></a><span style="font-weight: 400">.) We were able to use Wolfram Alpha, an online mathematics engine, to factor the modulus in less than one second:</span></p> <p style="text-align: center"><a href="http://www.wolframalpha.com/input/?i=factor+245406417573740884710047745869965023463" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://www.wolframalpha.com/input/?i=factor+245406417573740884710047745869965023463</span></a></p> <p><span style="font-weight: 400">which yielded the following two prime factors:</span></p> <p style="text-align: center"><span style="font-weight: 400">14119218591450688427 x 17381019776996486069</span></p> <p><span style="font-weight: 400">Using these factors, any man-in-the-middle monitoring traffic can easily decrypt the AES key of every encrypted WUP request and use that AES key to decrypt the request itself.</span></p> <p><span style="font-weight: 400">We monitored traffic sent by the browser and used this key to decrypt all of the WUP requests sent by the browser. We found multiple WUP requests that transmit easily decryptable personal information. In Figure 1, we show an example of a decrypted WUP request that has been parsed into more readable form by a script that we wrote.</span></p> <figure class="center mw-100 ba b--light-gray" style="width:740px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2016/03/Figure1.png" rel="attachment wp-att-27344" class="pointer"><img fetchpriority="high" decoding="async" class="size-full wp-image-27344" src="https://citizenlab.ca/wp-content/uploads/2016/03/Figure1.png" alt="Example of decrypted WUP request as presented by our tool. Sensitive numbers have been manually replaced with “#” symbols." width="740" height="438" title="WUP! There It Is: Privacy and Security Issues in QQ Browser 1" srcset="https://citizenlab.ca/wp-content/uploads/2016/03/Figure1.png 740w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure1-300x178.png 300w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure1-180x107.png 180w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure1-574x340.png 574w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure1-297x176.png 297w" sizes="(max-width: 740px) 100vw, 740px" /></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray">Figure 1: Example of decrypted WUP request as presented by our tool. Sensitive numbers have been manually replaced with “#” symbols.</figcaption></figure> <p><span style="font-weight: 400">Below we identify some of the most significant of these requests followed by the personal information that each transmits:</span></p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table class="wb-normal ba b--light-gray" border="0" cellspacing="0"> <tbody> <tr class="striped--light-gray"> <th>WUP Request</th> <th>Time Observed</th> <th>Encryption</th> </tr> <tr class="striped--light-gray"> <td>profileInfo.profileInfo</td> <td>Browser startup</td> <td>Easily decryptable</td> </tr> <tr class="striped--light-gray"> <td>hotword.getAssociationalWords</td> <td>Typing into address bar</td> <td>Not encrypted</td> </tr> <tr class="striped--light-gray"> <td>Security.doSecurityReqest [sic]</td> <td>Page view</td> <td>Easily decryptable</td> </tr> <tr class="striped--light-gray"> <td>proxyip.getIPListByRouter</td> <td>Browser startup</td> <td>Easily decryptable</td> </tr> <tr class="striped--light-gray"> <td>pkgcenternew.checkUpdate</td> <td>Update check</td> <td>Easily decryptable</td> </tr> </tbody> </table></figure> <p> </p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table class="wb-normal ba b--light-gray" border="0" cellspacing="0"> <tbody> <tr class="striped--light-gray"> <th>Data point</th> <th>Description of data point</th> <th>Encryption</th> <th>WUP Requests</th> </tr> <tr class="striped--light-gray"> <td>IMEI</td> <td>The International Mobile Equipment Identifier is a string of numbers that is unique for every device.</td> <td>Easily decryptable</td> <td>profileInfo.profileInfoSecurity.do<br> SecurityReqest<br> proxyip.getIPListByRouter<br> pkgcenternew.checkUpdate</td> </tr> <tr class="striped--light-gray"> <td>IMSI</td> <td>The International Mobile Subscriber Identification number uniquely identifies the user.</td> <td>Easily decryptable</td> <td>profileInfo.profileInfo</td> </tr> <tr class="striped--light-gray"> <td>Q-GUID</td> <td>Unique string used by QQ Browser to identify a particular user.</td> <td>Not encrypted</td> <td>hotword.getAssociationalWords<br> Security.doSecurityReqest<br> proxyip.getIPListByRouter</td> </tr> <tr class="striped--light-gray"> <td>Q-UA2</td> <td>A value used by QQ Browser that identifies the version of the application used and the type of hardware on which it is installed.</td> <td>Not encrypted</td> <td>hotword.getAssociationalWords<br> Security.doSecurityReqest</td> </tr> <tr class="striped--light-gray"> <td>QQ username</td> <td>The user’s QQ username.</td> <td>Easily decryptable</td> <td>profileInfo.profileInfo</td> </tr> <tr class="striped--light-gray"> <td>Screen pixel dimensions</td> <td>The dimensions in pixels of a user’s device screen.</td> <td>Easily decryptable</td> <td>profileInfo.profileInfo</td> </tr> <tr class="striped--light-gray"> <td>WiFi MAC address</td> <td>A Media Access Control address uniquely identifies wireless transmitters like Bluetooth and Wi-Fi chips in the device.</td> <td>Easily decryptable</td> <td>profileInfo.profileInfo*</td> </tr> <tr class="striped--light-gray"> <td>In-range WiFi access point MAC addresses</td> <td>The Media Access Control addresses of all nearby WiFi access points.</td> <td>Easily decryptable</td> <td>profileInfo.profileInfo<br> proxyip.getIPListByRouter</td> </tr> <tr class="striped--light-gray"> <td>SSID of connected WiFi access point</td> <td>The name of the WiFi access point to which the user is connected.</td> <td>Easily decryptable</td> <td>proxyip.getIPListByRouter</td> </tr> <tr class="striped--light-gray"> <td>Android ID</td> <td>A unique number generated when the operating system is first run that can be used to track users.</td> <td>Easily decryptable</td> <td>pkgcenternew.checkUpdate</td> </tr> <tr class="striped--light-gray"> <td>Address bar contents</td> <td>The contents of the address bar typed in by a user (e.g., a search query).</td> <td>Not encrypted</td> <td>hotword.getAssociationalWords</td> </tr> <tr class="striped--light-gray"> <td>Full page URL</td> <td>The full URL of each page visited in the browser.</td> <td>Easily decryptable</td> <td>Security.doSecurityReqest</td> </tr> </tbody> </table></figure> <p><em><span style="font-weight: 400">*Wifi MAC address is encrypted with DES+ECB with key </span><span style="font-weight: 400">“\x25\x92\x3c\x7f\x2a\xe5\xef\x92”</span></em></p> <p><span style="font-weight: 400">The responses to WUP requests were also easily decryptable. WUP responses were not encrypted using the asymmetric algorithm described earlier but instead used a purely symmetric algorithm, and thus we were not required to factor any key. Namely, they were encrypted using MTEA+MCBC with the following hard-coded, ASCII-encoded key:</span></p> <p style="text-align: center"><span style="font-weight: 400">“sDf434ol*123+-KD”</span></p> <p><span style="font-weight: 400">Interestingly, this encryption process employed in QQ Browser utilizes the same non-standard MTEA+MCBC implementation we observed in our study of Baidu Browser. (See Figure 4 and accompanying text in </span><a href="https://citizenlab.ca/2016/02/privacy-security-issues-baidu-browser/" class="pointer"><span style="font-weight: 400">our report</span></a><span style="font-weight: 400">.)</span></p> <p><span style="font-weight: 400">Since the algorithm is symmetric, the same key is used to both encrypt and decrypt these responses. Thus, any man-in-the-middle can use this key to perform an active attack by spoofing the response from QQ servers. We demonstrate this by attacking QQ browser’s self-updating process. </span></p> <h4 class="lh-solid mb3">Vulnerable software update process</h4> <p class="mt0"><span style="font-weight: 400">A </span><i><span style="font-weight: 400">pkgcenternew.checkUpdate </span></i><span style="font-weight: 400">request, as described earlier, indicates that a software update is available. The response to this request may contain a link to a new APK to download, an MD5 hash of that APK, and a textual description of the changes contained in that update. Android does not allow an APK to upgrade an app if the APK is signed with a different digital signature than that of the currently installed app, and so this attack cannot be used to replace QQ browser with an arbitrary APK; however, it may still be used to install a new app, and a properly crafted APK using the name and logo of QQ browser could be used to deceive a user into installing a malicious APK (see Figure 2).</span></p> <figure class="center mw-100 ba b--light-gray" style="width:740px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1.png" rel="attachment wp-att-27369" class="pointer"><img decoding="async" class="size-full wp-image-27369" src="https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1.png" alt="Figure 2: Example man-in-the-middle attack on QQ Browser’s updater. On the left, we injected a custom update description. On the right, after the update is downloaded, the browser prompts the user to install the Angry Birds APK (an actual attacker might instead craft an app called “QQ Browser” with an icon similar to that of QQ Browser to further convince the user to install it)." width="740" height="545" title="WUP! There It Is: Privacy and Security Issues in QQ Browser 2" srcset="https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1.png 740w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1-300x221.png 300w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1-180x133.png 180w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1-462x340.png 462w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure2-1-270x199.png 270w" sizes="(max-width: 740px) 100vw, 740px" /></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray">Figure 2: Example man-in-the-middle attack on QQ Browser’s updater. On the left, we injected a custom update description. On the right, after the update is downloaded, the browser prompts the user to install the Angry Birds APK (an actual attacker might instead craft an app called “QQ Browser” with an icon similar to that of QQ Browser to further convince the user to install it).</figcaption></figure> <p><span style="font-weight: 400">It is worthwhile noting that the current </span><a href="https://support.google.com/googleplay/answer/2843119?hl=en&ref_topic=3364260" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">unavailability</span></a><span style="font-weight: 400"> of the Google Play store in China creates the need for Android applications targeting users in China to find alternative methods of updating. Without the option of using the Play store’s software update process, developers are required to implement their own auto-updating mechanism, which as demonstrated in this case can introduce new opportunities for vulnerabilities in an app’s update process. It has been rumoured that a version of the Play store for the Chinese market </span><a href="http://www.reuters.com/article/us-alphabet-china-idUSKCN0T91K420151120" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">will be launched in 2016</span></a><span style="font-weight: 400">. </span></p> <h3 class="lh-solid mb3">Part 3: Analysis of QQ Browser – Windows Version</h3> <p class="mt0"><span style="font-weight: 400">We analyzed version 9.2.5478 of QQ browser for Windows, which we downloaded from </span><a href="http://browser.qq.com/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://browser.qq.com/</span></a><span style="font-weight: 400">. Although the Windows version also communicates with QQ’s servers using WUP requests, it differs from the Android client in how and when communications are encrypted. Moreover, the Windows version uses the MTEA+MCBC algorithm to encrypt WUP requests, a symmetric encryption algorithm, rather than the asymmetric RSA-based algorithm used by the Android version. (Encrypted WUP responses use MTEA+MCBC in both the Android and Windows versions.)</span></p> <p><span style="font-weight: 400">Although we observed the Android version sending WUP requests solely to </span><a href="http://wup.imtt.qq.com:8080/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://wup.imtt.qq.com:8080/</span></a><span style="font-weight: 400">, we observed the Windows version sending WUP requests to a variety of URLs including </span><a href="http://qbwup.imtt.qq.com" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://qbwup.imtt.qq.com</span></a><span style="font-weight: 400">, </span><a href="http://wup.html5.qq.com" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://wup.html5.qq.com</span></a><span style="font-weight: 400">, and </span><a href="http://wup.imtt.qq.com:8080" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://wup.imtt.qq.com:8080</span></a><span style="font-weight: 400">.</span></p> <p><span style="font-weight: 400">The Windows version of the browser also tracks what we henceforth call the machine’s </span><i><span style="font-weight: 400">hardware fingerprint</span></i><span style="font-weight: 400">, which we found included in many of the WUP requests sent. The hardware fingerprint is the MD5 hash of the concatenation of the machine’s</span></p> <ol> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">Network MAC address</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">Hard drive disk serial number</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">Hard drive disk model number</span></li> <li style="font-weight: 400" class="mt2"><span style="font-weight: 400">Hard drive disk controller version number</span></li> </ol> <p><span style="font-weight: 400">e.g.,</span></p> <p style="text-align: center"><i><span style="font-weight: 400">md5</span></i><span style="font-weight: 400">(</span><span style="font-weight: 400">“080027B09CC2”</span><span style="font-weight: 400"> + </span><span style="font-weight: 400">“VB7c666e15-ef97c40b”</span><span style="font-weight: 400"> + </span><span style="font-weight: 400">“VBOX HARDDISK”</span><span style="font-weight: 400"> + </span><span style="font-weight: 400">“1.0”</span><span style="font-weight: 400">).</span></p> <p><span style="font-weight: 400">Since MTEA+MCBC is purely symmetric, any man-in-the-middle observing traffic can use the hard-coded encryption key to easily decrypt all encrypted WUP requests. As before, we monitored traffic sent by the browser and decrypted all of the WUP requests. We found multiple WUP requests that leak easily decryptable personal information. We have listed below the most significant of these requests followed by the personal information that they transmit:</span></p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table class="wb-normal ba b--light-gray" border="0" cellspacing="0"> <tbody> <tr class="striped--light-gray"> <th>WUP Request</th> <th>Time Observed</th> <th>Encryption</th> </tr> <tr class="striped--light-gray"> <td>devicesniffer.DeviceSnifferHandle</td> <td>Browser startup</td> <td>Easily decryptable</td> </tr> <tr class="striped--light-gray"> <td>login.login</td> <td>Browser startup</td> <td>Easily decryptable</td> </tr> <tr class="striped--light-gray"> <td>qbkpireportbak.stat</td> <td>Browser startup</td> <td>Easily decryptable*</td> </tr> <tr class="striped--light-gray"> <td>qbpcstat.stat</td> <td>Browser startup</td> <td>Easily decryptable*</td> </tr> <tr class="striped--light-gray"> <td>qbindexblacklist.testUrl</td> <td>Search query or URL entered into address bar</td> <td>Not encrypted</td> </tr> </tbody> </table></figure> <p><em><span style="font-weight: 400">* The WUP request is itself not encrypted but contains a nested WUP payload that is encrypted with DES+ECB (a symmetric, easily decryptable algorithm) using the key </span><span style="font-weight: 400">“\x62\xe8\x39\xac\x8d\x75\x37\x79”</span><span style="font-weight: 400">.</span></em></p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table class="wb-normal ba b--light-gray" border="0" cellspacing="0"> <tbody> <tr class="striped--light-gray"> <th>Data point</th> <th>Description of data point</th> <th>Encryption</th> <th>WUP Requests</th> </tr> <tr class="striped--light-gray"> <td>Hardware fingerprint</td> <td>Hash of network MAC address, hard drive disk serial number, hard drive disk model number, hard drive disk controller version number.</td> <td>Not encrypted</td> <td>login.login<br> qbkpireportbak.stat<br> qbpcstat.stat<br> qbindexblacklist.testUrl</td> </tr> <tr class="striped--light-gray"> <td>Q-GUID</td> <td>Unique string used by QQ Browser to identify a particular user.</td> <td>Not encrypted</td> <td>devicesniffer.DeviceSnifferHandle<br> login.login*<br> qbkpireportbak.statqbpcstat.stat<br> qbindexblacklist.testUrl</td> </tr> <tr class="striped--light-gray"> <td>Q-UA</td> <td>A value used by QQ Browser that identifies the version of the application used and the type of hardware on which it is installed.</td> <td>Not encrypted</td> <td>login.login<br> qbindexblacklist.testUrl</td> </tr> <tr class="striped--light-gray"> <td>Machine IP Address</td> <td>The Internet Protocol address of a user’s device.</td> <td>Easily decryptable</td> <td>devicesniffer.DeviceSnifferHandle</td> </tr> <tr class="striped--light-gray"> <td>Machine hostname</td> <td>The Windows hostname of the user’s computer.</td> <td>Easily decryptable</td> <td>devicesniffer.DeviceSnifferHandle</td> </tr> <tr class="striped--light-gray"> <td>Gateway MAC address</td> <td>The Media Access Control address of the gateway used by the user’s computer.</td> <td>Easily decryptable</td> <td>devicesniffer.DeviceSnifferHandle</td> </tr> <tr class="striped--light-gray"> <td>Windows version and build</td> <td>The version and build of Windows running on the user’s computer.</td> <td>Not encrypted</td> <td>qbkpireportbak.stat<br> qbpcstat.stat<br> qbindexblacklist.testUrl</td> </tr> <tr class="striped--light-gray"> <td>Internet Explorer version</td> <td>The version of Internet Explorer installed on the user’s computer.</td> <td>Easily decryptable</td> <td>qbkpireportbak.stat<br> Qbpcstat.stat</td> </tr> <tr class="striped--light-gray"> <td>QQ Browser version</td> <td>The version of QQ Browser installed on the user’s computer.</td> <td>Not encrypted</td> <td>qbindexblacklist.testUrl</td> </tr> <tr class="striped--light-gray"> <td>Hard drive serial number</td> <td>The unique serial number of a user’s hard drive.</td> <td>Easily decryptable</td> <td>qbkpireportbak.stat<br> qbpcstat.stat</td> </tr> <tr class="striped--light-gray"> <td>Windows user security identifier</td> <td>Unique identifier Windows randomly generates for each Windows user.</td> <td>Easily decryptable</td> <td>qbkpireportbak.stat<br> qbpcstat.stat</td> </tr> <tr class="striped--light-gray"> <td>Full page URL</td> <td>The full URL of each page entered into the address bar.</td> <td>Not encrypted</td> <td>qbindexblacklist.testUrl</td> </tr> </tbody> </table></figure> <p><em>*Q-GUID encrypted with 3DES+ECB with key “\x63\xd7\x90\x63\x3c\x0e\x2f\xc3\x46\xef\x85\x37\x42\x1f\x9d\x4a\x46\x3d\x58\xf3\x8a\x95\xec\x84” with plaintext first interleaved with random bytes such that the 1st, 3rd, 5th, etc. are the 1st, 2nd, 3rd, etc. bytes of Q-GUID and 2nd, 4th, 6th, etc. bytes of plaintext are randomly chosen.</em></p> <p><span style="font-weight: 400">We found that the Windows version also leaked personal information outside of WUP requests when a user visits a page. We found that the full URLs of every viewed page, whether entered into the address bar or reached via a link or another means, were sent using MTEA+MCBC encryption to </span><a href="http://masterconn.qq.com/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://masterconn.qq.com/</span></a><span style="font-weight: 400"> using the key:</span></p> <p style="text-align: center"><span style="font-weight: 400">“\x8a\x0d\x75\x73\x90\x03\x4a\xd2\xb5\x25\xab\xe2\x31\xe2\x9f\x6f”</span></p> <h4 class="lh-solid mb3">Vulnerable software update process</h4> <p class="mt0"><span style="font-weight: 400">Requests checking for software updates are sent via JSON to </span><a href="http://update.browser.qq.com/qbrowser" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://update.browser.qq.com/qbrowser</span></a><span style="font-weight: 400">. While we found that similar to the Android version both the request for updates and the server’s subsequent response are not encrypted, we found that unlike the Android version the Windows version verifies the digital signature of the downloaded update. However, we found two attacks against the update process that any man-in-the-middle performing an active attack could still utilize to remotely run code on a QQ Browser user’s machine.</span></p> <p><span style="font-weight: 400">The first attack is a type of directory traversal attack. Normally when an update is available, QQ’s servers respond with the URL of an EXE to download, its MD5 hash, a textual description of the new features and fixes provided by the update, and the filename and location where the EXE will be saved. We found that the filename is not sanitized to remove directories from its name and so by including directory traversal, an active attacker can overwrite any file to which the user has permission to write. For instance, by naming the saved file</span></p> <pre style="text-align: center"><span style="font-weight: 400">../../../../../../../../../program files/tencent/qqbrowser/qqbrowser.exe</span></pre> <p><span style="font-weight: 400">we overwrote QQ Browser with an arbitrary program that would execute the next time the user attempted to run QQ Browser. While in our testing the program we overwrote QQ Browser with was a benign program, a malicious attacker could use this attack to install hidden spyware or malware.</span></p> <p><span style="font-weight: 400">The second attack demonstrates that </span><a href="https://www.usenix.org/system/files/conference/foci12/foci12-final18.pdf" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">checking for digital signatures is in and of itself insufficient for verifying the authenticity of a software update</span></a><span style="font-weight: 400">. A digital signature verifies that the downloaded EXE was written and signed by Tencent, but it does not verify that it will update QQ Browser to a newer version–it could be any EXE that has ever been signed by QQ. We found an older Web installer for QQ Browser that performs no digital signature checks (itself only using symmetric cryptography), and so on update, we had the user’s QQ Browser “upgrade” to the vulnerable Web installer for QQ Browser, which then proceeded to download and execute an arbitrary EXE of our choosing (see Figure 3).</span></p> <figure class="center mw-100 ba b--light-gray" style="width:500px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png" rel="attachment wp-att-27350" class="pointer"><img decoding="async" class="size-full wp-image-27350" src="https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png" alt="Figure 3: Example man-in-the-middle attack on QQ Browser’s self-updater by first injecting a vulnerable Web installer and then injecting our arbitrary program. A benign program that displays “Oh Hai There” was used as the payload, but any arbitrary program such as spyware or malware could be injected." width="462" height="312" title="WUP! There It Is: Privacy and Security Issues in QQ Browser 3" srcset="https://citizenlab.ca/wp-content/uploads/2016/03/Figure3.png 462w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure3-300x203.png 300w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure3-180x122.png 180w, https://citizenlab.ca/wp-content/uploads/2016/03/Figure3-295x199.png 295w" sizes="(max-width: 462px) 100vw, 462px" /></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray">Figure 3: Example man-in-the-middle attack on QQ Browser’s self-updater by first injecting a vulnerable Web installer and then injecting our arbitrary program. A benign program that displays “Oh Hai There” was used as the payload, but any arbitrary program such as spyware or malware could be injected.</figcaption></figure> <h2 class="lh-solid mb3">Discussion</h2> <p class="mt0"><span style="font-weight: 400">This report raises a number of serious security issues for QQ Browser users. The application collects and transmits personally identifiable data points in a manner that leaves this data vulnerable to surveillance by third parties. Further, deficiencies in the software update process leave users vulnerable to having arbitrary code, such as a malicious spyware program, inserted by a third party and executed on their devices. Most troubling is the fact that users would generally be unaware of these risks — unaware that such data is being collected and transmitted, and potentially unaware that a properly crafted malicious software update attack could lead to malicious code being installed on their devices.</span></p> <p><span style="font-weight: 400">However, as our previous research has shown, problems of this nature are not unique to any one particular application, operating system, or company. Our analyses of QQ Browser, </span><a href="https://citizenlab.ca/2016/02/privacy-security-issues-baidu-browser/" class="pointer"><span style="font-weight: 400">Baidu Browser</span></a><span style="font-weight: 400">, and </span><a href="https://citizenlab.ca/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/" class="pointer"><span style="font-weight: 400">UC Browser</span></a><span style="font-weight: 400"> have shown that all three — popular browsers made by three of the biggest tech companies in the world — contain strikingly similar security vulnerabilities. Therefore, QQ Browser is not unique in collecting this sensitive user data and transmitting it either without encryption or with easily decryptable encryption methods. In light of these similarities, the security concerns raised need to be evaluated through a broader context of mobile and application security generally, rather than focusing on any one particular company or application.</span></p> <p><span style="font-weight: 400">Web browsers are trusted to carefully handle sensitive information inputted by users and securely transmit it to Web servers. However, QQ Browser and the other browsers studied violate this standard of trust by not only collecting sensitive user data themselves, but then also insecurely transmitting it. Even in cases where asymmetric cryptography is used to transmit sensitive user data, it is used inconsistently. The Android version of QQ Browser, which used the asymmetric RSA algorithm, used a key size that was too small to be effective and did not meet the </span><a href="http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">recommended practice of using 2048 bit keys</span></a><span style="font-weight: 400">. This shortcoming illustrates the need for developers to use well-tested implementations of well-studied protocols, such as OpenSSL, a widely-used and well-accepted method of transmitting sensitive data in a more secure manner. </span></p> <p><span style="font-weight: 400">Beyond the criticism about the methods these applications use to transmit personal data, these findings also raise bigger questions about why such data is being collected and transmitted in the first place. Mobile devices transmit a </span><a href="https://citizenlab.ca/2015/05/the-many-identifiers-in-our-pocket-a-primer-on-mobile-privacy-and-security/" class="pointer"><span style="font-weight: 400">large range of uniquely revealing identifiers</span></a><span style="font-weight: 400">, the collection of which can raise serious privacy and security concerns for users. While these myriad data points available on a user’s device can permit developers to deliver efficient, highly customized services, the breadth of data points collected by these mobile browsers is arguably excessive, and would likely raise concerns among the users of these applications were they aware of it — especially when vendors are unable to properly secure such data. The collection of such fine-grained information about a user, a user’s device, and a user’s online behavior (and its insecure transmission) would be especially concerning for high-risk users, which in China could include democracy activists, journalists, human rights advocates, lawyers, and others.</span></p> <h2 class="lh-solid mb3">Evaluating underlying causes for the similarities</h2> <p class="mt0"><span style="font-weight: 400">That the three China-based browser applications we have examined all evince strikingly similar data gathering and insecure data handling problems raises an obvious question of whether there is some underlying cause for the similarities. There are at least four possible explanations, all of which require further research.</span></p> <ol> <li class="mt2"><span style="font-weight: 400">The underlying similarities could simply be the result of coincidence — in other words, no underlying cause. It is possible that the engineers all settled on the same design choices independently. However, in the case of QQ Browser and Baidu Browser, where the same non-standard MTEA+MCBC algorithm was found to be used, both companies independently creating exactly the same encryption algorithm is highly unlikely to be a coincidence, and so coincidence seemingly cannot explain our findings entirely.</span></li> </ol> <ol start="2"> <li class="mt2"><span style="font-weight: 400">There could be common engineering norms or industry standards which the browser developers are following, and which are particularly loose in terms of privacy and security with respect to China’s industry. After all, data overreach — in the form of excessive requested permissions — </span><a href="http://www.pewinternet.org/2015/11/10/apps-permissions-in-the-google-play-store/" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">is a common characteristic of the application sector</span></a><span style="font-weight: 400"> worldwide. Targeted advertising is a primary motivation for developing applications, and so it is not surprising to find that there are industry norms and pressures to build in as much functionality to gather up as much information about users as possible — to err on the side of excess, in other words. It is entirely possible that design choices were made as a result of these industry norms and practices, especially in China, where there is a rapidly expanding and highly dynamic user base for application development. Developers may not have faced outside pressure to implement strong security protections in their applications, and norms regarding what constitutes private or personally identifiable data may vary or be poorly appreciated. These applications’ lax attention to security, combined with aggressive information gathering, may simply be the product of industry norms, of which the China case is an extreme example at the far end of the spectrum. </span></li> </ol> <ol start="3"> <li class="mt2"><span style="font-weight: 400">There could be directives from the government, or informal pressure coming from state security officials on company executives, and by extension the engineers, to build in a kind of “surveillance by design.” To be sure, we have no explicit evidence that the government of China directed these specific design choices. And, the questions we asked the companies about government directives or influence have not been directly answered. However, we know that China maintains an extensive censorship and surveillance regime and all companies are required by law to follow state regulations in this respect.<sup><a href="#2" class="pointer">2</a></sup></span><span style="font-weight: 400"> Last year, state-run Xinhua News Agency reported that police officers would be</span><a href="http://www.bloomberg.com/news/articles/2015-08-05/china-to-set-up-security-offices-inside-internet-companies" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400"> stationed within the country’s major technology companies</span></a><span style="font-weight: 400"> to fight criminal activity online. The Chinese government has also </span><a href="http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">asked major U.S. tech companies to sign a pledge</span></a><span style="font-weight: 400"> committing that, amongst other things, its products will be “secure and controllable,” raising fears about legal requirements to implement surveillance backdoors. There is a strong expectation that China’s information and communications technology sector will responsibly police their networks, as illustrated in </span><a href="http://chinalawtranslate.com/%E5%8F%8D%E6%81%90%E6%80%96%E4%B8%BB%E4%B9%89%E6%B3%95-%EF%BC%882015%EF%BC%89/?lang=en" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">Article 19 of China’s Counter-Terrorism Law</span></a><span style="font-weight: 400">: “Telecommunications operators and internet service providers shall, according to provisions of law and administrative regulations, put into practice network security systems and information content monitoring systems, technical prevention and safety measures, to avoid the dissemination of information with terrorist or extremist content. Where information with terrorist or extremist content is discovered, its dissemination shall immediately be halted, relevant records shall be saved, and the relevant information deleted, and a report made to public security organs or to relevant departments.” In such a climate, it is reasonable to hypothesize that company officers put in place wide-reaching data gathering functionalities either at the request of, or to appease the preferences of, China’s security services. More research is needed to evaluate this hypothesis.</span></li> </ol> <ol start="4"> <li class="mt2"><span style="font-weight: 400">Finally, it is possible that the design choices are a subtle combination of points 2 and 3 above. In other words, a culture of “collect as much as possible” and lax data transmission security reinforce each of the industry’s and government’s needs, but in an unspoken and largely informal way. In this case, companies and their engineers are following industry norms, which also serve to benefit the interests of government surveillance while complying with the broad spirit of applicable laws. If this were an accurate reading, only when and if industry standards were tightened up by the companies would government authorities feel compelled to intervene and enforce some discipline on them and their engineers (much in the same fashion that Apple has faced pressure from the U.S. Department of Justice after Apple’s tightening up of device security). It is noteworthy, in this respect, that government signals intelligence practices as evidenced by what has appeared publicly (e.g., the Snowden disclosures) already </span><a href="http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">make extensive use of the type of data leaked from applications</span></a><span style="font-weight: 400"> that we document in these reports. Having this type of data collected and archived by private companies on servers inside mainland China and transiting through China-based networks would conveniently enable such signals intelligence collection practices for Chinese security agencies, and would likely be looked upon favourably by authorities.</span></li> </ol> <p><span style="font-weight: 400">Regardless of which of the above is the answer, the effect is the same: the many millions of users of the applications we have studied are at risk of serious privacy and security compromises.</span></p> <h2 class="lh-solid mb3">Questions for Tencent</h2> <p class="mt0"><span style="font-weight: 400">On March 17, 2016, we sent a letter to Tencent with additional questions about the security vulnerabilities we identified. We sent the letter again on March 23, 2016. The letter is reproduced </span><a href="https://citizenlab.ca/wp-content/uploads/2016/03/TencentLetter.pdf" class="pointer"><span style="font-weight: 400">here</span></a><span style="font-weight: 400">.</span></p> <p><a name="analysis" class="pointer"></a></p> <h2 class="lh-solid mb3">Update: Analysis of updated versions of QQ Browser</h2> <p class="mt0"><span style="font-weight: 400">We notified Tencent of the security issues in QQ Browser on February 5, 2016. To address these issues, on March 2, 2016, Tencent released version 6.4.2 of the Android version, and on or before March 14, 2016, Tencent released version 9.3.6872 of the Windows version.</span></p> <h3 class="lh-solid mb3">Analysis of Android version 6.4.2</h3> <p class="mt0"><span style="font-weight: 400">Our analysis of version 6.4.2 of the Android version shows that some of our reported issues have been partially resolved and some remain unresolved. The Android version now uses a 1024-bit RSA key instead of a 128-bit RSA key to encrypt session keys. Moreover, session keys are now sampled from the entire 128-bit AES keyspace instead of being restricted to certain ASCII digits. This greatly increases the strength of the encryption used to transmit sensitive data. However, while a 1024-bit RSA key cannot be easily factored, we recommend using at least a 2048-bit key. Moreover, due to their use of “plain RSA,” their implementation may still suffer from other vulnerabilities stemming from, for example, their lack of any key padding, such as OAEP.</span></p> <p><span style="font-weight: 400">We also found that the server now encrypts its responses using the session key instead of a hardcoded key. This protects the server’s responses from being easily decrypted and injected, which makes any man-in-the-middle attack on QQ’s update process more difficult. However, the strength of the encryption of these responses and their resistance to man-in-the-middle attacks also suffers from the caveats mentioned in the earlier paragraph.</span></p> <p><span style="font-weight: 400">We found that text typed into the address bar for searching or to go to a URL is still sent unencrypted.</span></p> <h3 class="lh-solid mb3">Analysis of Windows version 9.3.6872</h3> <p class="mt0"><span style="font-weight: 400">Our analysis of version 9.3.6872 of the Windows version shows that some of the issues we reported have been resolved and some remain unresolved. We found that all WUP requests sent by the Windows browser still use the same symmetric, easily decryptable algorithm. However, among the five different WUP requests that we describe the Windows version as making in this report, we did not observe three (</span><i><span style="font-weight: 400">qbindexblacklist.testUrl</span></i><span style="font-weight: 400">, </span><i><span style="font-weight: 400">qbkpireportbak.stat</span></i><span style="font-weight: 400">, and </span><i><span style="font-weight: 400">login.login</span></i><span style="font-weight: 400">) in the latest version; however, we observed the browser still sending the other two (</span><i><span style="font-weight: 400">devicesniffer.DeviceSnifferHandle</span></i><span style="font-weight: 400"> and </span><i><span style="font-weight: 400">qbpcstat.stat</span></i><span style="font-weight: 400">). This means that almost all sensitive identifiers that we originally reported, including MAC addresses, hard drive serial numbers, and Windows user security identifiers are still being sent using symmetric cryptography that can be easily decrypted.</span></p> <p><span style="font-weight: 400">We also found that the URL for each page visited is still sent to </span><a href="http://masterconn.qq.com" class="pointer" target="_blank" rel="noopener"><span style="font-weight: 400">http://masterconn.qq.com</span></a><span style="font-weight: 400"> using the same easily decryptable encryption; however, now only the protocol and domain of each page visited are sent, not the full URL.</span></p> <p><span style="font-weight: 400">Software updates are now checked via HTTPS instead of HTTP. This secures users against both of the attacks on the Windows version’s update process that we describe in this report by preventing attackers from being able to perform man-in-the-middle attacks.</span></p> <h2 class="lh-solid mb3">Acknowledgments</h2> <p class="mt0"><span style="font-weight: 400">The authors would like to thank Sarah McKune and Masashi Crete-Nishihata for assistance and peer review on this report. Jeffrey Knockel’s research for this project was supported by the Open Technology Fund’s Information Control Fellowship Program and Adam Senft’s research from the John D. and Catherine T. MacArthur Foundation (Ronald J. Deibert, Principal Investigator).</span></p> <h2 class="lh-solid mb3">Footnotes</h2> <p class="mt0"><a name="1" class="pointer"></a><sup>1</sup>It is notable that all of the locations from which we downloaded the clients used unencrypted HTTP connections, which presents another potential security concern.<br> <a name="2" class="pointer"></a><sup>2</sup>China’s Counter-Terrorism Law, which came into effect on January 1, 2016, includes requirements for telecommunications operators and Internet service providers to “provide technical interfaces, decryption, and other technical support assistance to public security organs and state security organs conducting prevention and investigation of terrorist activities in accordance with law”. While the final text of the law appeared to back away from controversial requirements in earlier draft versions of the law, which required companies to provide backdoor access and submit encryption keys to authorities, the passed version of the law still requires companies to provide technical assistance and potentially decrypt user communications. While the precise definitions of what types of companies are included and what types of assistance they would be required to provide are still forthcoming, in all likelihood “a broad range of companies with an internet presence in China” will be included.</p> <h2 class="lh-solid mb3">Appendix</h2> <p class="mt0">We have documented all correspondence with Tencent related to these security issues here:</p> <table class="wb-normal ba b--light-gray" border="0" cellspacing="0"> <tbody> <tr class="striped--light-gray"> <th>Date</th> <th>Contact</th> </tr> <tr class="striped--light-gray"> <td>February 5, 2016</td> <td>We submitted a security disclosure to Tencent via their online disclosure mechanism at: http://en.security.tencent.com/.</td> </tr> <tr class="striped--light-gray"> <td>February 16, 2016</td> <td>Status of report changed to “confirmed,” comment is left thanking us for our report.</td> </tr> <tr class="striped--light-gray"> <td>February 17, 2016</td> <td>We inquire what steps will be taken to resolve the reported issues and what the timeline will be for their resolution.</td> </tr> <tr class="striped--light-gray"> <td>February 21, 2016</td> <td>They indicate that a new version fixing the vulnerabilities will be released in March.</td> </tr> <tr class="striped--light-gray"> <td>February 24, 2016</td> <td>They indicate that a new version fixing the vulnerabilities will be released “next week.”</td> </tr> <tr class="striped--light-gray"> <td>March 3, 2016</td> <td>They ask for us to leave an address to send a bug bounty gift. (Their bug bounty is <a href="http://en.security.tencent.com/#/index" class="pointer" target="_blank" rel="noopener">described on their security disclosure site</a> as company swag such as “Tencent dolls”).</td> </tr> <tr class="striped--light-gray"> <td>March 8, 2016</td> <td>They state that fixed versions have been released.</td> </tr> <tr class="striped--light-gray"> <td>March 10, 2016</td> <td>We report our findings analyzing version 6.4.2 of the Android version. We also report that we could not find any changes in the Windows version and inquire whether we are analyzing the right version.</td> </tr> <tr class="striped--light-gray"> <td>March 14, 2016</td> <td>Tencent responds providing a link to the latest Windows version saying that they have fixed a number of the issues we reported. They report that they have upgraded the update check to use HTTPS. In addition, they report that they will only send the domain of viewed pages instead of the full URL, as a means of judging if a website is malicious. They also mention that they will still send the GUID since it is not personally identifying.</td> </tr> <tr class="striped--light-gray"> <td>March 18, 2016</td> <td>We respond confirming the changes in the Windows version and saying that we can still see other sensitive information in many WUP requests such as MAC addresses and hard drive serial numbers.</td> </tr> <tr class="striped--light-gray"> <td>March 20, 2016</td> <td>They respond saying that they have tried their best to resolve all reported problems, and they inquire as to whether we have any new problems to report.</td> </tr> <tr class="striped--light-gray"> <td>March 22, 2016</td> <td>We say that aside from the problems we have already reported we have no new issues to report. We say that we will be publishing our findings on March 28.</td> </tr> <tr class="striped--light-gray"> <td>March 22, 2016</td> <td>They justify the collection of hard drive serial numbers by saying that “Hard drive serial number is use for identifying independent user, so that QQ Browser can offer personalized service.” They then inquire as to where we will be releasing our published findings.</td> </tr> <tr class="striped--light-gray"> <td>March 23, 2016</td> <td>We say that we will release our findings on https://citizenlab.ca/ . We also link to the letter that we sent to Tencent and ask if they know of an appropriate contact to answer the letter’s questions.</td> </tr> <tr class="striped--light-gray"> <td>March 24, 2016</td> <td>They thank us for our feedback.</td> </tr></tbody></table> </section> <section id="media_mentions" class="mb4 mt4 bt b--light-gray pt4 pb2"> <h2 class="mt0 mb2">Media Mentions</h2> <p><a href="http://www.wsj.com/articles/chinas-top-web-browsers-leave-user-data-vulnerable-group-says-1459198802">Wall Street Journal</a>, <a href="https://www.washingtonpost.com/news/worldviews/wp/2016/03/28/chinese-browser-gathers-pathological-level-of-personal-data-and-then-stores-unsafely-study-finds/">Washington Post</a>, <a href="http://fortune.com/2016/03/29/china-qq-browser/">Fortune</a>, <a href="http://money.cnn.com/2016/03/29/technology/china-web-browsers-security-privacy/">CNN Money</a>, <a href="http://www.theglobeandmail.com/technology/popular-web-browser-in-china-may-put-users-data-at-risk-report/article29425182/">Globe and Mail</a>, <a href="https://www.zdnet.com/article/citizen-lab-adds-tencent-qq-to-browser-hall-of-shame/">ZDNet</a> (1), <a href="https://www.zdnet.com/article/china-rejects-worry-over-domain-rules/">ZDNet </a>(2), <a href="http://www.wcvb.com/money/security-flaws-found-in-top-chinese-web-browsers/38741600">WCVB ABC</a>, <a href="http://phys.org/news/2016-03-major-privacy-issues-popular-china.html">Phys.org</a>, <a href="http://www.ibtimes.com/chinas-qq-browser-exposes-user-data-weak-security-could-lead-malicious-attacks-2344802">International Business Times</a>, <a href="http://motherboard.vice.com/en_uk/read/popular-chinese-browser-transmits-user-info-with-terrible-encryption">VICE Motherboard</a>, <a href="http://www.livemint.com/Companies/f5WmASOxuZfhcH0eG6fYdN/Samsung-Pay-launches-in-China-Myntra-to-take-over-Forever-2.html">live mint</a>, <a href="http://www.chinatechnews.com/2016/03/30/23312-tencents-qq-browser-rife-with-privacy-problems">ChinaTechNews</a>, <a href="http://www.fastcompany.com/3058432/fast-feed/the-top-3-web-browsers-in-china-leave-users-vulnerable-report-says">FastCompany</a>, <a href="http://thechronicleherald.ca/business/1352879-popular-chinese-web-browser-may-put-hundreds-of-millions-of-personal-data-at-risk">The Chronicle Herald</a>, <a href="http://www.thestar.com/business/2016/03/29/popular-chinese-web-browser-could-put-millions-of-users-data-at-risk.html">Toronto Star</a>, <a href="http://www.scmagazine.com/top-chinese-browser-lets-users-be-tracked-and-attacked/article/485951/">SC Magazine</a>.</p> <p>Listen to Citizen Lab Senior Researcher <a href="http://www.rcinet.ca/en/2016/03/29/internet-whos-watching-what-you-do-where-you-are/">Jeffrey Knockel’s interview with Radio Canada International</a>.</p> </section> <footer> </footer> </article> <aside class="social-sidebar"> <div id="social-sidebar" role="complementary" class="w-100"> </div> </aside> </section> </main> </div> <footer role="contentinfo" itemscope itemtype="http://schema.org/WPFooter" class="footer"> <div class="footer__container"> <nav role="navigation" class="footer__nav"> <h2>Research</h2> <div class="footer-links cf"><ul id="menu-research" class="list pa0"><li id="menu-item-29711" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29711"><a href="https://citizenlab.ca/category/research/targeted-threats/" class="lh-title mb2 db white b no-underline underline-hover">Targeted Threats</a></li> <li id="menu-item-29709" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29709"><a href="https://citizenlab.ca/category/research/free-expression-online/" class="lh-title mb2 db white b no-underline underline-hover">Free Expression Online</a></li> <li id="menu-item-29712" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29712"><a href="https://citizenlab.ca/category/research/transparency/" class="lh-title mb2 db white b no-underline underline-hover">Transparency and Accountability</a></li> <li id="menu-item-29708" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-29708"><a href="https://citizenlab.ca/category/research/app-privacy-and-security/" class="lh-title mb2 db white b no-underline underline-hover">App Privacy and Controls</a></li> <li id="menu-item-29710" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29710"><a href="https://citizenlab.ca/category/research/global-research-network/" class="lh-title mb2 db white b no-underline underline-hover">Global Research Network</a></li> <li id="menu-item-72386" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72386"><a href="https://citizenlab.ca/category/research/tools-resources/" class="lh-title mb2 db white b no-underline underline-hover">Tools & Resources</a></li> <li id="menu-item-29713" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29713"><a href="https://citizenlab.ca/publications/" class="lh-title mb2 db white b no-underline underline-hover">All Publications</a></li> </ul></div> </nav> <nav role="navigation" class="footer__nav"> <h2>News</h2> <div class="footer-links cf"><ul id="menu-news" class="list pa0"><li id="menu-item-29714" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29714"><a href="https://citizenlab.ca/category/lab-news/mentions/" class="lh-title mb2 db white b no-underline underline-hover">In the Media</a></li> <li id="menu-item-29715" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29715"><a href="https://citizenlab.ca/category/lab-news/events/" class="lh-title mb2 db white b no-underline underline-hover">Events</a></li> <li id="menu-item-29716" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29716"><a href="https://citizenlab.ca/category/lab-news/opportunities/" class="lh-title mb2 db white b no-underline underline-hover">Opportunities</a></li> <li id="menu-item-29717" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29717"><a href="https://citizenlab.ca/newsletter/archives/" class="lh-title mb2 db white b no-underline underline-hover">Newsletter Archives</a></li> </ul></div> </nav> <nav role="navigation" class="footer__nav"> <h2>About</h2> <div class="footer-links cf"><ul id="menu-about" class="list pa0"><li id="menu-item-29718" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29718"><a href="https://citizenlab.ca/about/" class="lh-title mb2 db white b no-underline underline-hover">About The Citizen Lab</a></li> <li id="menu-item-29720" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29720"><a href="https://citizenlab.ca/people/" class="lh-title mb2 db white b no-underline underline-hover">People</a></li> <li id="menu-item-68022" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-68022"><a href="https://citizenlab.ca/media/" class="lh-title mb2 db white b no-underline underline-hover">Media Resources</a></li> <li id="menu-item-29721" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29721"><a href="https://citizenlab.ca/teaching/" class="lh-title mb2 db white b no-underline underline-hover">Teaching</a></li> <li id="menu-item-68345" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-68345"><a href="https://donate.utoronto.ca/give/show/84" class="lh-title mb2 db white b no-underline underline-hover">Donate</a></li> </ul></div> </nav> </div>  <div class="footer__container mt4 relative pt3-ns bt b--gray"> <div class="flex-ns justify-between w-100"> <div class="w-30-ns w-100 mb3 mr3-ns pt3"> <h2 class="ttu mt0 mb2 f4">Connect</h2> <div class="social-media"> <a class="dim" href="https://x.com/citizenlab" aria-label="Visit our Twitter/X account"><span class="fa-brands fa-twitter white" aria-hidden="true"></span></a> <a class="dim" rel="me" href="https://mastodon.social/@citizenlab" aria-label="Follow our Mastodon account"><span class="fa-brands fa-mastodon white" aria-hidden="true"></span></a> <a class="dim" href="https://www.youtube.com/channel/UCf5Aunw7xvt3lAFrLhiCA5w" aria-label="Visit our Youtube page"><span class="fa-brands fa-youtube white" aria-hidden="true"></span></a> <a class="dim" href="/cdn-cgi/l/email-protection#cda4a3bcb8a4bfa4a8be8daea4b9a4b7a8a3a1acafe3aeac" aria-label="Email us"><span class="fa-solid fa-envelope white" aria-hidden="true"></span></a> <a class="dim" href="https://github.com/citizenlab" aria-label="Visit oour Github"><span class="fa-brands fa-github white" aria-hidden="true"></span></a> </div> </div> <div class="w-60-ns f6 w-100 pt3"> <h2 class="f4 ttu mb2 mt3 mt0-ns">Newsletter</h2> <div id="text-3"> <div class="textwidget"><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script>(function() { window.mc4wp = window.mc4wp || { listeners: [], forms: { on: function(evt, cb) { window.mc4wp.listeners.push( { event : evt, callback: cb } ); } } } })(); </script><form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-29703" method="post" data-id="29703" data-name="" ><div class="mc4wp-form-fields"><input type="email" name="EMAIL" placeholder="Your email address" required class="dib pv1 mr2 mv1 lh-solid mw4"/><input type="submit" value="Sign up" class="link br1 b--none lh-solid cta-button-orange b pointer"/></div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off" /></label><input type="hidden" name="_mc4wp_timestamp" value="1732512686" /><input type="hidden" name="_mc4wp_form_id" value="29703" /><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1" /><div class="mc4wp-response"></div></form> </div> </div> </div> </div> </div> </footer> <div id="privacy-footer"> <div class="mv0 dib"> <div id="text-5"> <div class="textwidget"><p><a class="db white dim" href="https://citizenlab.ca/privacy/">Privacy Policy</a></p> </div> </div> </div> <div class="mv0 dib ph3-l"> <div id="text-4"> <div class="textwidget"><p>Unless otherwise noted this site and its contents are licensed under a <a class="white dim" href="https://creativecommons.org/licenses/by/2.5/ca/">Creative Commons Attribution 2.5 Canada</a> license.</p> </div> </div> </div> <div class="dib mv0 mt2 lh0 mw5"> <a href="http://munkschool.utoronto.ca/" target="blank"> <img src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/MunkSchool-WHT.png" alt="Munk School of Global Affairs & Public Policy | University of Toronto" /> </a> </div> </div> <script>(function() {function maybePrefixUrlField () { const value = this.value.trim() if (value !== '' && value.indexOf('http') !== 0) { this.value = 'http://' + value } } const urlFields = document.querySelectorAll('.mc4wp-form input[type="url"]') for (let j = 0; j < urlFields.length; j++) { urlFields[j].addEventListener('blur', maybePrefixUrlField) } })();</script><script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot.js" id="bigfoot-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot.min.js" id="bigfoot-min-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot-function.js" id="bigfoot-function-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/youtube-embed-plus/scripts/fitvids.min.js" id="__ytprefsfitvids__-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/js/search-menu.js" id="search-menu-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/js/jquery-details/jquery.details.min.js" id="jquery-details-js"></script> <script type="text/javascript" defer src="https://citizenlab.ca/wp-content/plugins/mailchimp-for-wp/assets/js/forms.js" id="mc4wp-forms-api-js"></script> </body> </html>