Citizen Lab adds Tencent QQ to browser hall of shame

The QQ browser from Tencent has been found by Citizen Lab, a research group within the University of Toronto, to be transmitting personally identifiable data with little or no encryption, leaving users open to man-in-the-middle data collection.

In its findings, Citizen Lab said that QQ is also vulnerable to arbitrary code execution thanks to an insecure update process.

"QQ Browser phones home information on your device's hardware serial numbers, and tracks your location and every page you visit," said Jeffrey Knockel, senior researcher at the Citizen Lab at the University of Toronto's Munk School of Global Affairs. "Even the person you trust most does not have access to this amount of information on you, and yet QQ receives it from everyone who uses their browser."

Among the data collected by QQ on Android, Citizen Lab found that the browser returns full page URLs, the phone's unique IMEI number, and nearby wireless networks, along with the device's and nearby Wi-Fi access point's MAC addresses and signal strengths under a poorly implemented encryption scheme. QQ was also found that it sends without encryption its address bar contents, and identifying strings generated by the browser.

For its Windows version, QQ sends page URLs, Windows version, and a "hardware fingerprint" hash without encryption. The machine's hard drive serial number, IP address, host name, and gateway MAC address are sent using its poorly implemented encryption scheme.

After notification, Citizen Lab said Tencent updated its browser to fix some of the issues it had found, but not all.

"The collection of such sensitive information about a user, and its insecure transmission across networks, is disturbing regardless of where it takes place," Ron Deibert, director of Citizen Lab, said. "But the fact that this is being undertaken in a context like China -- where there is extensive surveillance, companies are required by law to share user data with authorities on demand, and dissidents are routinely incarcerated for opposition to the government -- is a serious matter of personal security and human rights."

Last month, Citizen Lab found that Baidu Browser for Android and Windows was also sending personal data in the open, or with an easily breakable encryption scheme.

"Baidu endeavors to collect data in a way consistent with the highest standards of security and user privacy in the industry," Baidu said at the time.

In August last year, Tencent reported that its QQ instant messaging service had 843 million users, and WeChat had 600 million users.

Tencent announced in January that it was dropping plans to develop a QQ app for Windows 10 Mobile.