立即打开
研究称中国三款热门浏览器有安全隐患

研究称中国三款热门浏览器有安全隐患

David Meyer 2016年04月04日
不安全的数据传输方式意味着路径内的任何行为方(比如,用户的网络服务提供商、咖啡店的WiFi网络,或者通过其中任何一种接入点进入网络的恶意行为方)都能通过收集信息流,通过一些手段解密后就能获取各种个人信息。

如果你正在使用中国的最热门浏览器,那要小心了,因为这很可能不太保险。多伦多大学公民实验室的研究人员曾抨击UC浏览器和百度浏览器不安全,最近又指出广泛使用的Windows版和安卓版QQ浏览器也存在重大安全问题。

安全研究人员指出,QQ浏览器将用户个人信息传回腾讯服务器时,要么根本不加防护,要么使用很容易破解的加密方式。

他们推断,这可能是专门留下的后门,旨在扩大行政部门的监控范围。

Windows版和安卓版QQ浏览器都会返回浏览网页的地址,以及上网所用手机或电脑的识别信息。安卓版QQ浏览器还会返回用户在搜索框里输入的关键词,采取的防护手段同样脆弱不堪。

此外,这些研究人员称,两种版本的QQ浏览器在软件升级机制上都存在漏洞,别人可以利用漏洞在用户的设备上安装恶意软件。

这些问题为什么重要?首先,几乎一半的中国手机用户都在使用安卓版QQ浏览器。研究人员指出:

不安全的数据传输方式意味着路径内的任何行为方(比如,用户的网络服务提供商、咖啡店的WiFi网络,或者通过其中任何一种接入点进入网络的恶意行为方)都能通过收集信息流,通过一些手段解密后就能获取各种个人信息。

中国这几家浏览器的用户要担心的还不仅是偶然的攻击。此前,爱德华•斯诺登泄露的信息显示,情报部门很清楚UC浏览器(在中国和印度有5亿多用户)存在的类似漏洞,并且在利用漏洞监控公众。关于这一点,公民实验室2015年5月也已经证实。

QQ浏览器、UC浏览器和百度浏览器上相似的安全漏洞引起了研究人员的怀疑,他们曾向腾讯询问是否存在深层次的原因,但腾讯一直未答复。不过,在被指出问题后,腾讯确实改进了QQ浏览器的部分安全机制,但在研究人员看来安全性仍然不够。

研究人员在报告中指出,出现种种安全漏洞可能是因为行业潜规则,也或许是行政压力。毕竟,中国的科技公司受制于诸多监管条例,不得不协助政府工作。

他们写道:“公司高层之所以设置大范围数据收集功能,有可能是应安全部门的要求,也有可能是为了取悦安全部门。要验证假设,还需要更进一步研究。”(财富中文网)

译者:Charlie

审校:夏林

It’s probably not a great idea to use China’s top web browsers. After slamming the security of the UC and Baidu mobile browsers, researchers from Citizen Lab at the University of Toronto have now identified serious problems with both the Windows and Android versions of Tencent’s widely-used QQ Browser.

According to the security researchers, Tencent’s browsers transmitted personal user information back to the company’s servers with either no protection at all, or poorly implemented encryption that could easily be broken.

The researchers theorized these could be deliberate backdoors, aimed at expanding state surveillance.

Both versions sent back the addresses of visited pages, along with identifying data about the phones or computers being used for the surfing. The Android version of the QQ Browser also sent back search terms that the user typed into the address bar, again with poor security protection.

What’s more, the researchers said, there were holes in the software-update mechanisms for both browsers, making it possible for someone to send malware to the user’s device.

Why does all this matter? Firstly, the Android version of the QQ Browser is used by almost half of all Chinese mobile users. Here’s what the researchers said:

This insecure data transmission means that any in-path actor (such as a user’s ISP, a coffee shop WiFi network, or a malicious actor with network visibility across any of these type of access points) would be able to acquire this personal data by collecting traffic and performing any necessary decryption.

It’s not just random attackers that users of these Chinese browsers need to be concerned about. As Citizen Lab demonstrated last May, Edward Snowden’s leaks showed that similar vulnerabilities in the UC Browser (used by over half a billion people in China and India) were known to intelligence services, and used to spy on people.

Suspicious of the similarities between the security holes in the QQ, UC and Baidu browsers, the researchers said they asked Tencent whether there was a underlying reason. They received no answer, but Tencent did strengthen some of the browsers’ security mechanisms after being notified of them — though not to the satisfaction of the researchers.

In their paper, the researchers suggested the flaws could result from poor industry norms and/or pressure from the authorities, who want to be able to easily spy on citizens. After all, China has numerous regulations on tech firms, demanding that they aid authorities.

“It is reasonable to hypothesize that company officers put in place wide-reaching data gathering functionalities either at the request of, or to appease the preferences of, China’s security services,” they wrote. “More research is needed to evaluate this hypothesis.”

  • 热读文章
  • 热门视频
活动
扫码打开财富Plus App