请网友们立即停止使用阿里巴巴旗下的UC浏览器,包括UC浏览器手机版和UC浏览器电脑版 ,用户信息不加密直接发送给母公司阿里巴巴。
UC浏览器是一种移动浏览器,UC浏览器目前在全球拥有超过5亿的注册用户,是中国和印度最受欢迎的手机浏览器。在《啰嗦的松鼠:UC浏览器的隐私与安全问题》这一报告中,公民实验室(Citizen Lab)发现中文和英文安卓版UC浏览器中存在多个隐私及安全漏洞, 并讨论了它们的重要性。
报告显示安卓版UC浏览器在保护数据方面表现欠佳。报告描述了中文版本在传输数据到其目的地的过程中,对用户的敏感数据保护不足,相关的敏感数据包括装置辨识符、临近无线网络(Wi-Fi)访问点、移动信号塔信息、以及发送给搜索引擎Shenma的搜索问题。 中文版的UC浏览器会永久记忆用户的DNS查询历史,即使是在用户使用应用自带功能删除个人信息后。
英文版的应用将搜索查询以不加密的形式发送给印度版雅虎或是谷歌;除此之外英文版本并不存在中文版应用中的信息泄露问题。
分析显示中文版应用中泄露的信息可以被用来实时或是事后跟踪当事人所在地。此外,使用者无法成功删除其DNS查询历史意味着,任何有能力的第三方都可以通过进入用户高速缓冲储存器来了解该用户之前的网页浏览历史。由于对搜索引擎的查询进行不加密的做法,不管是中文版还是英文版的应用,安全性都非常低。
UC浏览器的用户该怎么办?
在2015年4月15日,我们将研究发现披露给了阿里巴巴(提供UC浏览器的公司)并告知对方我们不会在2015年4月29日前公布我们的发现。该公司在4月19日回应了我们,表示阿里巴巴安全工程师正在调查这一问题。4月23日我们再次联系了对方公司,表达了将于4月29日发表我们研究的意图。
2015年5月19日, 我们测试了从uc.cn网站下载的10.4.1-576版中文UC浏览器。这一版本的浏览器跟报告中测试的版本(10.2.1_161版)有所区别,它并没有将定位数据在不加密的情况下传送给AMAP。然而,报告中反映的传输不加密数据至Umeng部分的问题,以及搜索功能缺乏加密保护的问题,并没有在这一版本中解决。中文版UC浏览器的用户应该升级他们的应用,确保使用的是10.4.1-576以上的版本。
我们分析中文版10.2.1_161,英文版10.4.1.565。但我们并没有对新版本的应用进行程序分析。若是用户想进一步了解关于解决我们报告中发现的问题,阿里巴巴是否有任何新的进展,我们建议大家直接联系阿里巴巴([email protected])。
以下是英文原谅:
Summary: Privacy and Security Issues with UC Browser
UC Browser is a mobile web browser application that has over 500 million registered users and is the most popular mobile web browser in China and India. The report “A Chatty Squirrel: An Analysis of Privacy and Security Issues with UC Browser” discusses the significance of multiple security and privacy deficits that the Citizen Lab identified and documented in the English and Chinese language Android versions of UC Browser. This analysis was prompted by a slide presentation leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) asked us to comment. The document was prepared in 2012 by Canada’s signals intelligence agency, the Communications Security Establishment (CSE), and noted the existence of security vulnerabilities in the UC Browser application.
Our report reveals that UC Browser poorly secures data in its English and Chinese language versions for Android. The report discusses how sensitive user data, such as device identifiers, nearby Wi-Fi access points, and cellular tower information, as well as search queries to the search engine Shenma, are insufficiently secured by the Chinese version of the application before transmitting to its destination. The Chinese version also permanently retains users’ DNS query history which was discovered after researchers tried to delete personal information using the application’s built-in personal information deletion functions.
The English version of the application sends search queries to Yahoo! India or Google without encryption; however, it does not exhibit the other information leakages present in the Chinese version of the application.
Our analysis shows that the information leakages in the Chinese version of the application could be used to track the location of persons either in real-time or retroactively. Moreover, the application’s failure to delete DNS queries means that third parties that access the application’s cache could determine what websites a user had previously visited. Both the Chinese and English versions of the applications showcase poor security practices by failing to encrypt queries made to either Chinese- or English-based search engines.
While media outlets are publishing a story about the CSE document we cannot positively determine if the problems we identified in UC Browser, which are described in our report, are similar to or the same as those referenced in the CSE document.
Analysis
This research demonstrates the poor data security practices of an Android application that may ultimately threaten users’ privacy. The transmission of unencrypted search engine queries enables third parties to monitor searches as well as potentially return modified search results without the user realizing that their data has been monitored or modified. Sensitive personal information can be inferred from search results including health conditions, such as pregnancy, disease, mental and psychological conditions, marital relations, and medical information. The data can also be used by third parties to develop, use, and sell user profiles and by corporate or government agents to modify or prevent access to certain search results.
The Chinese version of UC Browser has trivially encrypted cellular tower location information using symmetric AES/CBC encryption that uses a hard-coded key. The use of a hard-coded key and symmetric encryption enables third parties to decrypt cellular tower information in real-time as they read it, or retroactively as they gain access to previously captured and stored UC Browser data traffic. The application transmits device identifiers, including IMSI, IMEI, the Android ID, and Wi-Fi MAC address, without encryption. In aggregate these pieces of information can be used to track individuals as they move around the world, to conduct social network analyses by determining who is located near whom at what times of the day, and to identify ‘aberrant’ activities such as being in the proximity of persons/devices that are subject to surveillance or being in a location that the device normally does not pass through or near.
The report highlights significant variations between the data security included in the Chinese and English versions of the applications. We conclude that users of the English version of the applications experience fewer privacy or security problems compared to users of the Chinese version.
What Should UC Browser Users Do?
We disclosed our findings to Alibaba (the parent company of UCWeb, the creator of UC Browser) on April 15, 2015, and informed them that we would publish this report on or after April 29, 2015. The company responded to our notification on April 19, 2015, indicating that Alibaba security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015.
On May 19, 2015 we tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. This version does not appear to send location data insecurely to AMAP as described in this report. The issues we describe in this report relating to insecure data transmission to the Umeng component, as well the lack of encryption on search terms, do not appear to have changed in this version. Users who use the Chinese version of UC Browser should upgrade the application and ensure they are running version 10.4.1-576 or above.
We suggest that users contact Alibaba [[email protected]] if they are interested in learning about what progress has been made in resolving the problems we uncovered in our analyses.
发表回复