QQ browser privacy disclosure report-vulnerability warning-the black bar safety net

2016-06-08T00:00:00
ID MYHACK58:62201675626
Type myhack58
Reporter virustracker
Modified 2016-06-08T00:00:00

Description

0x00 description


QQ browser is Tencent development of a web browser, for Android, Windows, Mac and iOS and other platforms. Compared to the built-in browser, QQ browser provides richer functionality, for example, increase the tag window, and integrating the chat platform, etc.

In the report a detailed analysis of the Windows and Android version of QQ browser is how to transmit user data. The two versions of the QQ browser in the transmission of the user identity data, either directly without the use of encryption, or the encryption algorithm used is simply useless. Complete discussion please refer to our report the Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser on.

Since such a data transmission approach is very unsafe, so long as it can intervene in the data transmission path, for example, the user's ISP, the connection of the coffee shop's WiFi network, or intrusion of the respective network hack collect and decrypt the data traffic, it is possible to intercept this personal data.

In addition to the data transmission mode is not safe enough, the two version of QQ browser update way also a vulnerability that leads to arbitrary code execution. In other words, the attacker can forge a software update, the malicious code installed to the user's device.

This report belongs to the Privacy and Security of Mobile Applications in Asia onseries. Previously, we have confirmed the mobile version of UC Browser and Baidu browser there is a similar problem. Snowden also had exposure to say, the five eyes Intelligence Alliance of the NSA, GCHQ, CSE, ASD AND GCSB use UC Browser security to identify and track user identity. In already published the The Many Identifiers in Our Pockets onreport, we listed what personal data is often collected and transmitted.

In addition, we studied the TOM-Skype and UC on password auditing mechanisms, a comparative analysis of some of the in Asia popular mobile chat tools, including wechat, LINE and KakaoTalk. In addition, we also check out wechat on password auditing mechanisms. This study's main purpose is through a comprehensive approach, including reverse engineering and other technical analysis methods, allowing users to realize these applications in the security and privacy issues, at the same time, hope that the relevant software company, to assume their responsibilities, to protect the user's interests.

2 0 1 6 years 3 month 1 7 day, we asked Tencent why you want to collect user data, and also by an unsafe way these data to the QQ Server. Herewe raised specific issues. Until the deadline, we have not received any reply. In the end, we discussed some of the possible underlying reasons why China of the browser will appear similar problems.

0x01 technical analysis


We analyzed two versions of QQ browser, are Android 6. 3. 0 1 9 2 0 and Windows version 9. 2. 5 4 7 8 in. During the analysis, we use a lot of tools. For example, we used tcpdump and Wireshark to capture and analyze network traffic, also use a machine code and byte-code disassembly tool, Decompiler and debugging tool to analyze the behavior of the program, including, JD, JADX and IDA.

We found that both browsers are using a General-purpose mechanism communicates with the server, and this mechanism will lead to the leakage of personal information, and the browser update process, there are also multiple security vulnerabilities.

Our technical analysis is divided into three parts, the first part describes a basic structure, the two versions of QQ browser will pass this structure to the QQ server to transfer data. The second part of the analysis is the acquisition of personal user data, as well as the Android version of the software update process. The third part of the analysis of the corresponding Windows version of the function.

0x02 the first part: QQ browser data transfer


Android and Windows version of QQ browser to use a WUP request to the QQ server communication.

WUP request

WUP request is a binary format that can contain values of different types, e.g., integer, floating-point numbers, lists, strings and recursive structure. Sometimes, these requests are first encrypted, then embedded into a HTTP POST request body, and finally, with this HTTP POST request is sent to the destination URL. We wrote aPython scriptto decrypt and parse these requests, and thereby converting it into a human readable format. In this script code, also included in the next decrypt the data when you need to use the other script.

Q-GUID, Q-UA and Q-UA2 field

Q-GUID, Q-UA and Q-UA2 field appears in the WUP request HTTP header. In the following description WUP request, if a field corresponding to the value appears in the WUP request payload, we use this field to refer to a corresponding instance. In the HTTP header, these fields are not encrypted, however, when these fields appear in the WUP request, its format will change.

Q-GUID field filled with the value at the time of initialization, by a WUP request from the QQ server, and upon receiving this value, the browser will retain this value, and add it to the subsequent request in the HTTP header, no encryption. In many of the WUP request payload, also contains this value. The following is a Q-GUID: caed22d728efa6127d53bc0412f888cb

The GUID may represent a“global unique identifier”is a 1 2 8-bit number, usually randomly generated.

Q-UA and Q-UA2 value contains the with QQ browser versions and hardware platforms related to the hard-coded information. Although, UA very likely refers to the“User Agent”and contains the HTTP user agent string similar information, but its format was different from the QQ browser in the HTTP header using the user agent HTTP field.

0x03 of the second part: analysis of the Android version of QQ browser


Our analysis of the Android version of QQ browser is 6. 3. 0 1 9 2 0 version, download to<http://mb.qq.com/>it. After the start, or executed when certain events, such as, browse the web or check for updates, the browser will send http://wup. imtt. qq. com:8 0 8 0/send a WUP request. These requests use the following this encryption.

For each encrypted WUP request, according to the following Java code to generate an AES secret key:

|

1

2

3

4

5

|

int i = 1 0 0 0 0 0 0 0 + new Random(). nextInt(8 9 9 9 9 9 9 9);

int j = 1 0 0 0 0 0 0 0 + new Random(). nextInt(8 9 9 9 9 9 9 9);

return (String. valueOf(i) + String. valueOf(j)). getBytes();

---|---

[1] [2] [3] [4] next