Alibaba’s Popular Mobile Web Browser, UC Browser, Has ‘Incognito’ Mode That Isn’t Private at All

Thomas Brewster, writing for Forbes:

But the privacy pledges made by UCWeb are misleading, according to security researcher Gabi Cirlig. His findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they’re in incognito mode or not, is sent to servers owned by UCWeb. Cirlig said IP addresses - which could be used to get a user’s rough location down to the town or neighborhood of the user - were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it’s not currently clear just what Alibaba and its subsidiary are doing with the data. “This could easily fingerprint users and tie them back to their real personas,” Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday.

Not what you want.

Tuesday, 1 June 2021