Personal data is being collected and transmitted insecurely by thousands of apps using code from the Chinese net giant Baidu, say security researchers.
安全人员说,成千上万个应用,使用来自中国网络巨头百度代码,未加保护的收集和发送个人数据。
Millions of Chinese people are believed to have been affected by the data leaks, said security experts at the University of Toronto.
多伦多大学安全专家称,数百万中国人被认为受到了数据泄露的影响。
The data reveals where people are, search terms, sites visited and the ID numbers of devices they own.
数据泄露了人们的位置、搜索条目、访问地址以及自己的身份证号。
Baidu said it had tackled the problems with the insecure computer code.
百度表示已经着手解决这些不安全的计算机代码问题。
’Shoddy design’
“设计劣质”
The code is found in a software development kit that can be used to create apps for Android phones.
在一个为安卓手机开发的apps的软件开发包里发现了代码问题。
Baidu itself used it to make web browsers for Android and Windows and many other firms have used the kit too.
百度自身开发的网页浏览器,Windows浏览器,以及许多使用该开发包的公司也受到了影响。
Apps and browsers made using the Baidu kit have been downloaded hundreds of millions of times, said researchers at Toronto’s Citizen Lab in the report. As part of a long-running research project, the Lab has focussed on privacy and personal data use in China. Last year the team found shortcomings in the Alibaba browser.
多伦多公民实验室的研究人员在报告中指出,使用百度工具包的应用和浏览器已被下载了数百万次。作为一个长期运行的研究项目的一部分,该实验室集中研究中国的隐私和个人数据的使用。去年该团队发现了阿里巴巴浏览器的缺陷。
The latest report found several security and privacy shortcomings in the Baidu code.
最新报告发现,百度代码存在安全和隐私弊端。
Some data, including GPS coordinates and search terms, is sent in plain text.
一些数据,包括全球定位系统的坐标和搜索条件,以纯文本形式发送。
In addition, the protections added to other forms of information, such as unique device IDs, could easily be broken.
此外,对于新增不同形式信息的保护,如独特的设备标识,很容易被识破。
Poor protection of apps made with the kit also made users "susceptible" to fake updates that could give an attacker access to a phone or a Windows computer.
对于该套件应用的保护不力,也让用户容易受到虚假信息的影响,使得攻击者很快侵入手机或电脑。
The transmission of personal data without properly implemented encryption can expose a user’s data to surveillance," said the authors in their report.
报告的作者说道,“未经适当实施加密的个人数据的传输将直接暴露用户的数据。”
Worryingly, they added, users would have no warning that the data was being transmitted or gathered.
他们补充说,令人担忧的是,用户未收到数据被传输或收集的警告。
"It’s either shoddy design or it’s surveillance by design," Ron Deibert, director of the Citizen Lab, told Reuters.
“这是设计劣质或是蓄意监控,”公民实验室主任Ron Deibert告诉路透社。
Fixed?
修正了吗?
Citizen Lab said that Baidu had fixed some of the bugs in the code since it had first been told about them in November last year.
公民实验室表示,自从去年11月份让百度注意到漏洞后,百度已经修正了一些在代码中的错误。
However, it added, the poor encryption scheme was still being used on sensitive data.
但是,虽有提高,但劣质的加密系统仍然被用于敏感数据。
Baidu said it was collecting the data about users for commercial purposes. Occasionally, it said, it shared the data with partners.
百度表示,它正收集的用户数据用作商业用途。偶尔也会与合作伙伴共享数据。
It added that the information was not handed over wholesale to the Chinese authorities.
它补充说,这些信息并没未大批移交给中国当局。
It said it "only provides what data is lawfully requested by duly constituted law enforcement agencies".
百度表示“只提供执法机构合法要求的数据”。