Whether you are a Chrome, Safari or Opera user, you are aware that each browser affords you some level of security. Features like incognito mode can help keep your data safe from prying eyes.
When you want more privacy, you can start using a VPN. Tap or click here for details on how a VPN can protect your privacy and find out Kim’s VPN of choice.
You would have to dig deep to find a browser that doesn’t have an incognito mode. When using it, you expect it to work as intended. But a popular browser was recently caught tracking users. Keep reading to find out why it’s a good idea to delete it now.
Here’s the backstory
One of the most popular browsers in India and Indonesia, UC Browser, has been found to keep track of users even if they activated incognito mode. This naturally poses a huge security risk for those users.
The browser is owned by a subsidiary of Chinese tech giant Alibaba. In 2018 it had a 16% share of the worldwide browser market. The issue has been somewhat mitigated in India. The country has been on a crusade to ban most Chinese-developed apps.
Security researcher Gabi Cirlig discovered the serious flaw in UC Browser. He was previously responsible for uncovering security issues within certain Xiaomi products. Cirlig discovered that every website iOS or Android users visit is sent to a server at the parent company UCWeb. This is regardless of the browsing mode used.
Cirlig explained what he found in the following tweet:
1/X There's loads of metadata being sent every time I visited a website on UCWeb. It's really weird cuz my website contains like 1 static page and another 404 link lol.— Gab̴̯̚i̶̳̇ C̵̯͖̈͗͒͐i̷͖̘̭͑̈͊r̷͙̞̽͛̿ľ̸̢i̴̧̱͓̅ĝ̵͇͍͕̙ (@hookgab) June 1, 2021
Things got weirder the more he delved into the issue, leading Cirlig to report his technical findings on a Medium blog. “In addition to the visited URL the browser sends the IP of the user and a proprietary ID which seems to have been the same over the duration of the analysis. This could easily fingerprint users and tie them back to their real personas,” he wrote.
What should you do now?
The obvious step for any user of this browser, whether on Android or iOS, is to stop using it and uninstall it immediately.
On iOS devices, compressed data without a password or encryption containing sensitive information was sent to the UCWeb servers. On Android, while the overall result was the same, the data sent to the servers were encrypted with AES security. This would make it marginally harder for a cybercriminal to access.
To make matters worse for the company, this isn’t the first time it has been caught in the crosshair of security researchers.
“While the findings are no longer applicable, the problem remains, nonetheless. At the time of the writing these issues have not been fixed even after contacting Alibaba, with user browsing/location data being sent to UCWeb’s servers in real time,” Cirlig concluded.