"If you have a Xiaomi phone or are using one of their browsers, the company tracks your web usage and much more." That's how the Forbes cybersecurity editor was in color Thomas Brewster on his Twitter page after publishing the report, he explains how a Beijing company would collect and send user data to servers managed in China, where they have used one of their web browsers, whether it is an embedded product product, or a Mint Browser application, available on Google Play for download from other third-party sites.
In collaboration with several special investigators in the field of cybersecurity, it was concluded that these systems were sending data packets containing similar information. the history of the visited web pages and URLs, elements visited by to feed Xiaomi news, and details from the device. The most worrying thing is that this data looks like it was sent or used in “incognito mode”.
Incognito mode is less confidential
The collection and submission of this data seemed to occur in each of the three web browsers
To demonstrate the effectiveness of this method of data collection, researchers have published a a video where you can see how information is registered to post later as the user browses the Internet. Prior to such accusations, Xiaomi explained in a statement that "Research information is not accurate" and "privacy and security are your top concerns"
In addition, they say the video is only showing anonymous data collection, namely, by brand names, "it is one of the most common solutions found by internet companies to improve the browser's product experience through the analysis of anonymous data itself.
But investigators appear to be totally skeptical of Xiaomi's words. Most of all, because even though the data sent to servers hosted in China – and that of the Internet giant Alibaba – remained encrypted, the encryption method used base 64, to be easily understood. In addition, at logs Browser "pings" were found on domains related to Chinese data analytics services company Sensors Data. As if that wasn't enough, investigators have shown that, since among the shared data was the identification of each device's datait couldn't have been more difficult "Report metadata to the person behind the screen".
The details of the parameter data are of particular interest to me.
URL shortening.
base64 base.
The gun.
JSON data.
I don't think that should be there. pic.twitter.com/5CYH5FU9E4
– Cybergibbons (@cybergibbons) April 30, 2020
Xiaomi is responsive and already lets you disable data transmission in incognito mode
Shortly after the publication of this report, Xiaomi He has decided to respond to these allegations through a post on his official blog. On May 2, the first version of the book revealed functionality of the URL collection system and submission system, we also allege that that data was anonymous before it was sent, and is therefore not related to the user of that device in any way.
Xiaomi, on the other hand, says that browsing history is synced, but only if the user is logged into My account and the option is activated from the browser settings. However, they deny that information is shared when anonymous browser mode is used.
Later, on May 3, the brand confirmed that an upcoming update for Mi Browser and Mint Browser can give users the power of activate or deactivate the & # 39; compilation plan & # 39; of data in incognito mode. That update came on May 4, and is now available for download through Google Play. In announcing this feature, the company revealed that its arrival, combined with the product's intention to keep the data completely anonymous, demonstrates the company's commitment to users' privacy.
Follow Andro4all
