Alibaba's browser is the fourth largest browser in terms of the number of users in the world. This is largely due to the large user base in Asia. Alibaba-owned UC Browser promises that no web browsing or search history will be logged in incognito mode.
Such guarantees, along with promises of fast download times, have made the browser, created by Alibaba subsidiary UCWeb, popular worldwide, with 500 million downloads via Android alone. Before it was banned by the Indian government due to security concerns linked to Chinese apps, it was reportedly one of the most popular browsers in India.
But UCWeb's privacy pledges are misleading, according to security researcher Gabi Cirlig. The findings revealed that in both the Android and iOS versions of UC Browser, every website a user visits, regardless of whether they are in incognito mode or not, is sent to servers owned by UCWeb.
The IP addresses which can be used to get a user's approximate location to a user's city or neighborhood are also sent to servers controlled by Alibaba, Seerlig said.
These servers are registered in China. It carried the Chinese .cn domain name extension. But it is hosted in the United States. Each user is also assigned an ID number, which means that their activity across various websites can be monitored by the Chinese company.
It is currently not clear what Alibaba and its subsidiary are doing with the data. This can lead to users reaching out to their real selves, Seerlig wrote in a blog post.
Alibaba Browser Spying
Searlig managed to uncover the problem by reverse-engineering some of the encrypted data he spotted while returning it to Beijing. Once the key was cracked, he was able to see that every time he visited a website. It is encrypted and sent back to Alibaba. And Searlig didn't need to reverse-engineer the encryption via iOS because there wasn't anything across the device.
This type of tracking is done on purpose without any regard for user privacy, Seerlig said.
When compared to Google Chrome, for example, it does not convey the user's web browsing habits when in incognito mode. He examined other major browsers and found that none of them do the same thing as UC Browser. Although cookies may track users in a similar way. This is different from the browser getting URLs.
In a video, Seerlig demonstrated what was happening when he used the UC Browser, including how to attach a unique ID number to it. Another issue was with the iOS version of the Alibaba-owned app. The web browsing collection is not disclosed to users. This is because it has not been updated after Apple introduced a feature in the App Store to detail the privacy practices of each app.
Alibaba, which has a market capitalization of $600 billion, was concerned about Apple's app tracking transparency feature. This feature allows users to block apps from being tracked. One of the first tangible signs that the iPhone maker's emphasis on privacy is causing major problems for the likes of Alibaba is the inaccessibility of one of the most popular mobile apps via the Apple App Store.