Alibaba-owned UC Browser has been leaking browsing and search history data to UCWeb even when its 500 million users browse in the incognito mode on Android and iOS, researchers revealed on Tuesday.
While the behaviour is slightly different across both platforms, the principle is the same – sending data logs from UCBrowsers back to UCWeb’s servers. On iOS devices, the sensitive data sent is gzipped beforehand, while on Android, the traffic is AES encrypted after being compressed.
The data logs that go back to UCWeb contain detailed information on browsed URLs, search terms, device details and other sensitive information. While most users assume that incognito mode will keep them safe from such excursions, the browser sends your data back regardless.
UC Browser is developed by UCWeb, which the China-based Alibaba Group owns. The browser was banned in India alongwith TikTok and 57 other apps from Chinese developers in June 2020, citing security concerns.
Taking a data bite from the Apple
The data fetching requests are made over an HTTPS connection, but that’s really where the security of your data ends — these requests binary data, which is essentially gzip-compressed files. The files aren’t even password-protected, and anyone can extract them to access your sensitive data.
This isn’t local to a region either; according to the findings of Gabi Cirlig, a software developer who ran these tests along with a friend Nicolas Agnese, the behaviour is the same regardless of where you’re browsing from. Gabi verified this from three different IPs coming from the US, Europe and India.
Data regarding your browsing history and more was also sent over to UCWeb with the same detail. To capture and extract any gzip files sent, anyone can leverage a MITM proxy and gunzip the traffic.
Apart from your browsing history, the data includes the following as well.
- Serial number of the device (unique to the device and internal to USWeb)
- Timestamp of navigation.
- Geolocation data, including neighbourhood and town/city.
- IMEI and MAC address of the device. However, as reported by Gabi, these fields were blank.
In the News: Drones can operate in 166 new green zones in India
Android’s too bites the dust
Gabi claims to have noticed a lot of pinbacks to US’s servers after installing UCBrowser. On further inspection, these requests clearly indicate that they’re sending the URLs visited back to their servers. Note that this transmission is happening in incognito.
These strings, however, are AES encrypted. By using an AES interceptor, one can easily intercept and access these strings. They contain data about the domains you visit, your IP address and a proprietary ID that can be used to fingerprint users.
To further verify that the data showed in these strings is actually sent to the server, the researchers dove further deep into the source code and, by linking all AES calls and manually checking them, they found a stack trace that produced a JSON file.
The JSON contained a key string which was in turn used to decode the ciphertext and inspect the payload.
This also isn’t the first time UCWeb has had privacy issues. The findings are no longer applicable as the exfiltration mechanism, and endpoints have been changed. However, even after contacting Alibaba (owner of UCWeb), the users’ browsing/location data is still being sent to UCWeb.