Personal data is being collected and transmitted insecurely by thousands of apps using code from the Chinese net giant Baidu, say security researchers.
近日,有安全人员说表示,成千上万个应用软件使用了来自中国网络巨头百度的相关代码,来收集和发送那些未加保护的个人数据。
Millions of Chinese people are believed to have been affected by the data leaks. The data reveals where people are, search terms, sites visited and the ID numbers of devices they own.
数百万中国人被认为受到了数据泄露的影响。数据泄露了人们的位置、搜索条目、访问地址以及自己的身份证号。
Baidu said it had tackled the problems with the insecure computer code. The code is found in a software development kit that can be used to create apps for Android phones.
百度公司表示已经着手解决这些不安全的计算机代码问题。这一代码问题是在一个安卓手机app的软件开发包里发现的。
Apps and browsers made using the Baidu kit have been downloaded hundreds of millions of times, said researchers at Toronto's Citizen Lab in the report. As part of a long-running research project, the Lab has focussed on privacy and personal data use in China. Last year the team found shortcomings in the Alibaba browser.
多伦多公民实验室的研究人员在报告中指出,使用百度工具包的应用和浏览器已被下载了数百万次。作为一个长期运行的研究项目的一部分,该实验室集中研究中国的隐私和个人数据的使用。去年该团队就曾发现阿里巴巴浏览器的缺陷。
The latest report found several security and privacy shortcomings in the Baidu code.
而最新报告发现,百度代码存在安全和隐私弊端。
Some data, including GPS coordinates and search terms, is sent in plain text. In addition, the protections added to other forms of information, such as unique device IDs, could easily be broken.
包括全球定位系统的坐标和搜索条件在内的一些数据,是以纯文本形式发送的。此外,对于新增不同形式信息的保护,如独特的设备标识,都很容易被识破。
Poor protection of apps made with the kit also made users "susceptible" to fake updates that could give an attacker access to a phone or a Windows computer.
对于该套件应用的保护不力,也让用户容易受到虚假信息的影响,使得攻击者很快侵入手机或Windows系统的电脑。
"It's either shoddy design or it's surveillance by design," Ron Deibert, director of the Citizen Lab, told Reuters.
公民实验室主任Ron Deibert告诉路透社:“这要么是设计劣质,要么就是蓄意监控”。
Citizen Lab said that Baidu had fixed some of the bugs in the code since it had first been told about them in November last year. However, the poor encryption scheme was still being used on sensitive data.
公民实验室表示,自从去年11月份被告知这一情况之后,百度公司注意到了这些漏洞,并已经修正了一些在代码中的错误。但是,劣质的加密系统仍然被用于敏感数据。