If you use Tencent’s QQ web browser your personal data is at risk, experts warn

Major security flaws found as browsers transmit information in a non-secure way due to poor encryption; speculation rife that Chinese sites may have been instructed to do this by higher powers

PUBLISHED : Tuesday, 29 March, 2016, 4:33pm
UPDATED : Tuesday, 29 March, 2016, 8:22pm

The popular QQ web browser owned by Tencent, China’s largest internet service portal, has security flaws that could result in the leaking of personal user data, including web and search history, according to a new international study.

QQ, which has hundreds of millions of users, was found by the University of Toronto’s CitizenLab to have significant security issues relating to encryption.

The laboratory, which focuses on advanced research and development of information and communication technologies, said it had previously discovered similar problems in China’s other top browsers, including Baidu and Alibaba’s UC browser.

“Web browsers are trusted to carefully handle sensitive information inputted by users and securely transmit to web servers,” the report said.

“However, QQ browsers and other browsers studied violate this standard of trust by not only collecting sensitive user data themselves, but then also insecurely transmitting it.”

In their report, authors Jeffrey Knockel, Adam Senft and Ron Deibert said that both the Windows and Android versions of the QQ browsers send personal data to servers without proper encryption, leaving it easily available to third-party access.

They said the software was also vulnerable during updates.

“This insecure data transmission means that any in-path actor (such as a user’s internet service provider, a coffee shop Wi-fi network, or a malicious actor with network visibility across any of these access points) would be able to acquire this personal data,” they said.

More complaints than ever – use of personal data biggest source of gripes to Hong Kong’s privacy commissioner

A malicious programme, such as spyware or malware, could be installed on the device during the software update process, according to the report.

After sending a letter to Tencent notifying it of the security flaws in its browser, the authors said the company had only corrected some of the issues with its latest patch.

As three of China’s most popular web browsers appeared to have the same issues, the report said it was possible that government or state security officials had requested whatever led to the vulnerabilities.

“We have no explicit evidence that the government of China directed these specific design choices... [but] we know that China maintains an extensive censorship and surveillance regime and all companies are required by law to follow state regulations in this respect,” they wrote.

When contacted by the South China Morning Post, a spokesperson for Tencent said the company is “committed to the high standards of security and protection of user privacy and has always treated it as a key priority”.

“Our teams have processes in place to identify and resolve glitches at product pre- and post-release stages. However, from time to time, we may be notified of glitches via user feedback or industry-leading authorities,” the person said.

“We investigated and resolved the concerns with QQ browser shortly after we received the notification by Citizen Lab on February 5, 2016. Though no users were affected, we are still encouraging all users to download the latest version.”