Security researcher Gabi Cirlig’s findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they’re in incognito mode or not, is sent to servers owned by UCWeb. From a report: Cirlig said IP addresses — which could be used to get a user’s rough location down to the town or neighborhood of the user — were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it’s not currently clear just what Alibaba and its subsidiary are doing with the data.
“This could easily fingerprint users and tie them back to their real personas,” Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple’s iOS, he didn’t even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). “This kind of tracking is done on purpose without any regard for user privacy,” Cirlig told Forbes. When compared to Google’s own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he’d looked at other major browsers and found none did the same as UC Browser.