UC Browser leaks sensitive user data: Citizen Lab

A popular mobile web browser from a company that Alibaba Group Holding Ltd paid over $1 billion to acquire last year, leaked sensitive user data and was a privacy risk, according to a Canadian technology research group.

Citizen Lab said yesterday that Chinese and English-language versions of UC Browser, developed by UCWeb Inc, made personally identifiable information like location, search details and mobile subscriber and device numbers available to third parties.

The transmission of this information "represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data", it said in a report.

According to Alibaba spokesman Bob Christie, the problems were immediately fixed and customers notified of an update to the browser after Citizen Lab brought the issues to Alibaba's attention in April.

According to Citizen Lab, based at the University of Toronto, UC Browser had over 500 million registered users and was the most popular web browser in China and India.

Citizen Lab said, the Chinese version was more vulnerable and by installing and opening that version users exposed "a significant number" of personal identifiers and location information to third parties.

"By leaking a large volume of fine-grained data points to multiple network operators, the UC Browser app is increasing the risks to its users that such data may be used against them by authorities, criminals, or other third parties," it said.

It appeared from the findings of Citizen Lab that both English & Chinese editions of UC Browser for Android could leak personal information about the user to the network operator or any attacked on the network.

The personal information included Cellular Subscriber Information, GeoLocation Data, Search Queries, IMSI, IMEI, Android ID, Mobile Device Identifiers, etc.

The researchers submitted their report to Alibaba as also UCWeb in April and taking due action on these findings, Alibaba in response said its security engineers had started working on resolving the issue.

On 19 May, the Citizen Lab team decided to again test the new version of the Chinese language version of UC Browser and found that it did not send the location data insecurely to AMAP as was earlier pointed out by them.

However, the issues about insecure data transmission to the Umeng component and search queries lacking encryption still remained.