Unfortunately it would be more of a surprise that a Chinese Internet company did not have a security hole, but the latest finding from an overseas research team confirms that Tencent's QQ Browser leaks user data.
Tencent, China's largest Web portal company, itself also confirmed the vulnerabilities to the researchers at Citizen Lab, an interdisciplinary laboratory based at Canada's Munk School of Global Affairs in the University of Toronto.
In a newly published report, Citizen Lab alleges the QQ Browser sends "a user's IMEI, IMSI, nearby WiFi access points, search queries entered into the address bar, URLs of pages visited, and Android ID, without encryption or with easily decryptable encryption" to QQ's servers. Both Windows and Android versions of QQ Browser apparently incorporate these vulnerabilities. Plus, some of the information is only encrypted using 128-bit RSA, which is not difficult to deconstruct.
This means that not only does QQ gain sensitive user data, but a "man-in-the-middle" attack can easily exploit these flaws to grab user data too. This can include online bank information, Web surfing habits, passwords, and other personal and private information.
Citizen Lab says they alerted Tencent on February 05, 2016, but by March 24 only some of the issues had been addresses or fixed. Tencent is not alone in harboring an insecure browser — Chinese search Baidu also apparently has privacy and security issues.
