Skip to main content

The Globe and Mail

Tencent's QQ web browser may put users’ data at risk: report

A man uses a mobile phone in front of a logo of Tencent at the Global Mobile Internet Conference (GMIC) 2015 in Beijing, China, in this April 28, 2015 file photo.

Kim Kyung Hoon/Reuters

A popular web browser in China may be putting the personal information of hundreds of millions of users at risk, a new report has found.

Tencent's QQ browser has 853 million monthly active users, according to the company's most recent public figures. The majority of its users live in China and other countries in Asia.

The browser's Android and Windows versions send personal data to the company's servers either without encryption or with encryption that can be easily decrypted, according to a report from the Citizen Lab, based at the University of Toronto's Munk School of Global Affairs. This personal data include the URL addresses of visited sites.

Story continues below advertisement

A public WiFi network or another third party could acquire users' personal data by collecting traffic and decrypting the information.

The report also exposed privacy vulnerabilities in how the two browser versions update software. Someone could spoof such an update and install malicious code, like a spyware program, on a QQ browser user's device, the authors found.

QQ browser users generally would not be aware of these risks, the authors wrote, and would likely be concerned about the privacy breach if they knew.

In China, the security breach could pose problems for democracy activists, human rights advocates and other so-called high-risk Internet users, according to the report.

The report studied the Android version 9.2.5478 and the Windows version 6.3.01920.

Citizen Lab's director Ronald Deibert sent a letter to Tencent in mid-March asking if the company plans to correct the uncovered privacy vulnerabilities. Tencent did not provide answers prior to the report's publication. However, Tencent did release updates to its Android and Windows versions before the report was published. Both new versions resolve some of the privacy issues.

Citizen Lab has previously found similar privacy concerns with UC browser and Baidu browser. Former National Security Agency contractor Edward Snowden also leaked documents that indicated the Five Eyes intelligence alliance, which includes Canada, used the UC browser's privacy shortcomings to identify and track users, according to the report.

Story continues below advertisement

The similarities between the three browsers' privacy concerns could be a coincidence, the adherence to industry standards, the result of government directives or informal pressure from officials or businesses, or a mix of the latter two factors, the authors suggest. All these causes require more research, they say.

Report an error
As of December 20, 2017, we have temporarily removed commenting from our articles as we switch to a new provider. We are behind schedule, but we are still working hard to bring you a new commenting system as soon as possible. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.