Alibaba’s extremely popular UC Browser has some serious security flaws that leak users’ private data to third parties. Last year, Alibaba paid over a billion dollar to acquire UCWeb, the developer of mobile web browser UC Browser. Canada-based Citizen Lab revealed in a new report on Thursday that the Chinese and English-language versions of UC Browser are a privacy risk.
UC Browser transmits data without encryption
The Canadian firm started analyzing the browser after some media organizations contacted them for comments on a document from Canada’s Communications Security Establishment. The document was leaked by former NSA contractor Edward Snowden. It revealed vulnerabilities in UC Browser.
In its analysis, Citizen Lab found that both English and Chinese-language versions of the browser leaked personally identifiable information such as location, search details, and device numbers to third parties. The Chinese version was even more vulnerable. They analyzed both WiFi and cellular network data traffic of the browser.
The browser’s AMAP component, an Alibaba mapping tool, sends device and user identifiers, as well as location data to a remote server. Alibaba’s analytics tool Umeng also sends device identifiers to a remote location. The shocking thing is that all the data is sent with little or no encryption. So, anyone with access to the data traffic can identify users and their devices.
Alibaba fixes the issue
The stolen private data can be used against the respective UC Browser users by criminals, authorities, or other third parties. Another issue is that users’ private data is not completely deleted when they clear the browser history, input history, login records, cookies and the cache. Citizen Lab said that, though most of the data is deleted, a record of the app’s DNS lookups remained on the device.
UC Browser has more than 500 million registered mobile users. It boasts of 65% market share in China. Alibaba spokesman Bob Christie told Reuters that the issues were fixed immediately after Citizen Lab brought it to their notice. The company has also notified customers of an update to the browser.