
UC Browser for Android, Desktop Exposes 500M Users to MiTM Attacks - cpeterso
https://www.bleepingcomputer.com/news/security/uc-browser-for-android-desktop-exposes-500-million-users-to-mitm-attacks/
======
zoom6628
FWIW UC Browser is prob the most popular web browser used on Android phones in
China. Every device ive seen, or owned, has it pre-loaded or is top choice for
getting loaded. I have also tried it out myself, but as other posters has
written already, its awful.

Wondering out loud i would ask if the vulnerability to MiTM is actually
required. From reports here in HN 2-3 years ago MiTM is basically what the GFW
achieves, and it inserts its own headers to route away from intended(and
blocked) servers and to benign local China servers(such as baidu). Perhaps
this vulnerability exists in their need to be compliant to local Chinese law
which basically prevents one bypassing/nullifying the GFW without permission?

This is an open and honest question, not an opinion. Hope someone can answer
with facts. I lived in China past 12 years and have had enough hearsay,
rumour, and opinion to last me multiple lifetimes :-)

~~~
bgee
> and it inserts its own headers to route away from intended(and blocked)
> servers and to benign local China servers(such as baidu)

I was never aware that GFW would route traffic to local China servers such as
Baidu's, can you kindly provide some links?

~~~
zoom6628
Here you go - happy reading.
[https://www.tuicool.com/articles/6vqyqan](https://www.tuicool.com/articles/6vqyqan)
[https://www.netresec.com/?page=Blog&month=2015-03&post=China...](https://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-
on-the-Side-Attack-on-GitHub)

~~~
bgee
If I'm reading them correctly, those two posts are the opposite of what the
parent post tried to say.

Those DDoS were carried by directing traffic to GitHub while that traffic
should go to Baidu.

Did I miss something?

------
Matsta
Just had a quick Google and this company is owned by Alibaba:
[https://en.wikipedia.org/wiki/UC_Browser](https://en.wikipedia.org/wiki/UC_Browser)

Seems like they've already been in hot water for vulnerabilities in their
browser: [https://www.cbc.ca/news/canada/spy-agencies-target-mobile-
ph...](https://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-
stores-to-implant-spyware-1.3076546)

~~~
40dslf
What conclusion do you draw from that company being owned by Alibaba? I don't
see the relevance of this.

~~~
outloudvi
[https://www.uc.cn/](https://www.uc.cn/)

If you are meaning of the evidence of UC connected to Alibaba, I think this
site is convincing enough.

[EDIT: Fix link]

~~~
40dslf
You misunderstood me. I firmly believe UC is owned by Alibaba, but I insist
that I don't understand why is that important.

~~~
wastedhours
Useful context for me as I haven't heard of the browser so no knowledge as to
how they can have such a large userbase.

I don't think the intention was draw a correlation between Alibaba and
security lapses.

~~~
fencepost
Some of it may be inertia from early days of Android - for a long time I still
had the Dolphin browser installed because for a time back in the Android 2.x
days it was the best option around and IIRC included its own build of
Chromium's rendering engine ("Dolphin Jetpack").

UC Browser is likely also available on devices not using Google Play where
Chrome may not be an option.

------
plibither8
I really hope this substantially reduces the number of users, or Google takes
the app down completely. The browser is ridiculously terrible: both from the
user and the developer point of view.

The browser constantly spams the phone with irrelevant, clickbait news
articles/ads (and yet it's so popular). The developers (especially in India)
cannot ignore the browser because of its large userbase, and then that's one
more browser you have to look after.

~~~
rushikesh98
> The browser constantly spams the phone with irrelevant, clickbait news
> articles/ads (and yet it's so popular).

Regular people don't stop using an app because it shows irrelevant articles,
click baits. Facebook, YouTube trending are more "mainstream" examples of
this.

------
saagarjha
> Android apps "distributed via Google Play may not modify, replace, or update
> itself using any method other than Google Play's update mechanism. Likewise,
> an app may not download executable code (e.g. dex, JAR, .so files) from a
> source other than Google Play."

Obvious question: why did this get approved, and will Google amend their
process to close this loophole?

~~~
ignoramous
Fwiw, Firefox Mobile lets you download add-ons and plugins, as well, that
modify behaviour of the app. Not sure what justification UCWeb might have
given here to Google, though, it is more likely that with certain apps,
external install, command, and control is a valid and exceptional use-case.

~~~
PudgePacket
Firefox extensions are just JS executed in a sandboxed runtime though..

By that logic you could argue webpage's JS are downloadable plugins that
modify the behavior of the browser while it displays HTML content :)

------
pier25
Why would anyone use anything else than Chrome or Firefox on Android?

I wouldn't even trust Samsung.

~~~
altenotiz
I believe things might work pretty differently when it comes to China, which
is the main demographic of this browser

~~~
rishav_sharan
And India, where it is heavily used. UC browser is the Yahoo of browsers. It
bundles many app like features in the browsers and for a lot of people who
aren't tech savvy, its they one node gateway to everything internet.

------
max_wen
People really use this browser?

~~~
onionsoup
It was the the largest browsers in Indonesia and India, at least in part
because it's marketed as saving $$ on data by blocking calls to download ads
and other scripts[1][2].

[1] [https://www.scmp.com/tech/article/2130205/alibabas-uc-
mobile...](https://www.scmp.com/tech/article/2130205/alibabas-uc-mobile-
browser-no-1-india-google-closing-phones-get-fancier)
[2][https://marketingland.com/alibabas-uc-browser-beating-
google...](https://marketingland.com/alibabas-uc-browser-beating-google-
chrome-indian-mobile-market-231241)

~~~
baybal2
While downloading gigabytes of own ads...

------
userbinator
_" It’s impossible to be sure that cybercriminals will never get ahold of the
browser developer’s servers or use the update feature to infect hundreds of
millions of Android devices."_

Apparently they didn't consider the same sentence would be just as valid if
they replaced "browser developer" with Google...

This is an example of the authoritarian security sensationalism that's far too
common today, and it only leads to the big companies like Google getting even
more power over users. One of the most secure places is in an isolated prison
cell.

~~~
zamadatix
If you continue reading you find the key difference to the comparison you just
made:

> This unofficial update feature present in UC Browser can also be used by
> would-be attackers to perform man-in-the-middle attacks (MitM) attacks,
> potentially leading to remote code execution on compromised devices, because
> the app communicates with its servers using an unencrypted channel over
> HTTP.

It's a lot easier to use the update feature to infect millions of people when
it's just using plain HTTP.

~~~
userbinator
Then why didn't they just leave the first part of the sentence out completely?
It would then be more factual and less scaremongering --- unless that's what
they wanted, to push a "Google can do no wrong" agenda.

I have no problem with factual reporting of the risks; it's the scaremongering
promotion of Google's walled-garden that irritates me the most.

------
diogenescynic
If you care about security or privacy, it seems like you’d avoid Android.

~~~
m-p-3
But unless you can get Apple to make cheap devices for the masses (like
Android One and Android Go) in developing countries, their high price point
will push you towards giving up your privacy to have a smartphone and be
reachable online.

------
austincheney
> using unprotected channels

It's not man in the middle. I have seen this mistake a lot lately. Man in the
middle only involves encryption. Otherwise it is just injection or
redirection. It is not a man in the middle attack merely because something
happened in the middle of a transmission. There is always stuff that happens
in the middle of transmission if you want to get technical about packet
switching ARP resolution.

Specifically man in the middle deals with intercepting a certificate or key
request in the middle of a transmission so that the encrypted tunnel is
between one end point and the attacker. The attacker then establishes a second
encrypted tunnel between themselves and the other end point.

Wikipedia page - [https://en.wikipedia.org/wiki/Man-in-the-
middle_attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)

I am certain about this because I had to study it in order to pass the CISSP
exam (first time go back when it was a 250 question paper test).

~~~
Spare_account
> Man in the middle only involves encryption.

This doesn't feel right to me, so I would like to explore it if you are
willing to help me understand. I've grabbed a couple of sources below which
appear to contradict your assertion, but I'll admit I'm not expert on this
topic so if I'm misunderstanding things, I'd appreciate being put right.

The Wikipedia article you linked to includes the following section:

> _A notable non-cryptographic MITM attack was perpetrated by a Belkin
> wireless network router in 2003. Periodically, it would take over an HTTP
> connection being routed through it: this would fail to pass the traffic on
> to destination, but instead itself responded as the intended server. The
> reply it sent, in place of the web page the user had requested, was an
> advertisement for another Belkin product._

OWASP's definition uses plaintext HTTP as its primary example of a MITM
attack:

[https://www.owasp.org/index.php/Man-in-the-
middle_attack](https://www.owasp.org/index.php/Man-in-the-middle_attack)

> _For example, in an http transaction the target is the TCP connection
> between client and server. Using different techniques, the attacker splits
> the original TCP connection into 2 new connections, one between the client
> and the attacker and the other between the attacker and the server, as shown
> in figure 1. Once the TCP connection is intercepted, the attacker acts as a
> proxy, being able to read, insert and modify the data in the intercepted
> communication._

> _The MITM attack is very effective because of the nature of the http
> protocol and data transfer which are all ASCII based_

~~~
gruez
Yes, technically because it's conducted by someone in the middle of the
transport path, you can call it man in the middle. The problem is that if you
call all attacks that, what do you call the attack where asymmetric key
exchange is being replicated by some attacker in the middle?

Also, it's possible to pull this particular attack off without being in the
"middle",. For example, by using DNS cache poisoning or arp spoofing

~~~
joombaga
> The problem is that if you call all attacks that, what do you call the
> attack where asymmetric key exchange is being replicated by some attacker in
> the middle?

You use a more exact term. I don't see the problem.

~~~
austincheney
I think you are missing the prior commentor's point. MITM already has a
specific definition. It isn't as broad as you are attempting to redefine it.

This concept is commonly understood by security people and commonly confused
by software developers. I suspect the failure is that for software developers
all parts of a network are in the middle between their application and their
end user, so anything in that nebulous space corresponds with the words
comprising MITM. That line of thinking is reductio ad nausium.

