百度代碼被指收集並泄露用戶信息
Personal data is being collected and transmitted insecurely by thousands of apps using code from the Chinese net giant Baidu, say security researchers.
近日,有安全人員說表示,成千上萬個應用軟件使用了來自中國網絡巨頭百度的相關代碼,來收集和發送那些未加保護的個人數據。Millions of Chinese people are believed to have been affected by the data leaks. The data reveals where people are, search terms, sites visited and the ID numbers of devices they own.
數百萬中國人被認爲受到了數據泄露的影響。數據泄露了人們的位置、搜索條目、訪問地址以及自己的身份證號。Baidu said it had tackled the problems with the insecure computer code. The code is found in a software development kit that can be used to create apps for Android phones.
百度公司表示已經着手解決這些不安全的計算機代碼問題。這一代碼問題是在一個安卓手機app的軟件開發包裏發現的。
Apps and browsers made using the Baidu kit have been downloaded hundreds of millions of times, said researchers at Toronto's Citizen Lab in the report. As part of a long-running research project, the Lab has focussed on privacy and personal data use in China. Last year the team found shortcomings in the Alibaba browser.
多倫多公民實驗室的研究人員在報告中指出,使用百度工具包的應用和瀏覽器已被下載了數百萬次。作爲一個長期運行的研究項目的一部分,該實驗室集中研究中國的隱私和個人數據的使用。去年該團隊就曾發現阿里巴巴瀏覽器的缺陷。The latest report found several security and privacy shortcomings in the Baidu code.
而最新報告發現,百度代碼存在安全和隱私弊端。Some data, including GPS coordinates and search terms, is sent in plain text. In addition, the protections added to other forms of information, such as unique device IDs, could easily be broken.
包括全球定位系統的座標和搜索條件在內的一些數據,是以純文本形式發送的。此外,對於新增不同形式信息的保護,如獨特的設備標識,都很容易被識破。Poor protection of apps made with the kit also made users "susceptible" to fake updates that could give an attacker access to a phone or a Windows computer.
對於該套件應用的保護不力,也讓用戶容易受到虛假信息的影響,使得攻擊者很快侵入手機或Windows系統的電腦。"It's either shoddy design or it's surveillance by design," Ron Deibert, director of the Citizen Lab, told Reuters.
公民實驗室主任Ron Deibert告訴路透社:“這要麼是設計劣質,要麼就是蓄意監控”。Citizen Lab said that Baidu had fixed some of the bugs in the code since it had first been told about them in November last year. However, the poor encryption scheme was still being used on sensitive data.
公民實驗室表示,自從去年11月份被告知這一情況之後,百度公司注意到了這些漏洞,並已經修正了一些在代碼中的錯誤。但是,劣質的加密系統仍然被用於敏感數據。
