Xiaomi accused of harvesting user data from its phone’s default browser, folders
The remote severs were in Singapore and Russia but the web domains they hosted were registered in BeijingXiaomi is a leading smartphone vendor in India with a market share of 30%, as per Counterpoint Research
NEW DELHI: Xiaomi is secretly harvesting information on what users are doing on their phones and is sending the data to remote servers, Gabi Cirlig, a White Ops security researcher, has alleged.
Cirlig told Forbes that he found Xiaomi’s default browser on his Redmi Note 8 recording all the websites he accessed, in addition to capturing all search engine queries, even when he used Google or the privacy-focused DuckDuckGo search engines. The recording didn’t stop even when he switched to the more private Incognito mode. Incognito mode keeps browsing sessions private from websites by not saving browsing history, cookies and or information entered in forms. Cirlig also alleged that the phone was recording details on folders and screens he accessed.
"Xiaomi is disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation," Xiaomi stated in an email response to Mint.
To find out what information was being taken from the Xiaomi phone, Cirlig decoded a chunk of garbled data hidden with base64 and within seconds was able to see them in readable format.
Base64 is a form of encoding used to represent all binary data in an ASCII string and is easily crackable.
Cirlig suspects this was not a one-off incident and is happening was other models also sold by Xiaomi. To verify this, he downloaded a firmware for other Xiaomi phones such as MI 10, Redmi K20 and Mi MIX 3 and found that they had the browser code.
Though the remote severs were in Singapore and Russia the web domains they hosted were registered in Beijing.
To validate Cirlig’s claims, Forbes reached out to Andrew Tierney, a leading cybersecurity researcher to investigate it further. As per the Forbes report, Tierney confirmed that the phone’s default browsers namely Mi browser Pro and the Mint browser were collecting user data.
Redmi Note 8 series was among the highest selling phones in India, according to market reports. Xiaomi itself is the leading smartphone vendor in India with a market share of 30%, as per Counterpoint Research.
This isn’t the first instance when the Chinese company has been accused of unauthorised data access. In 2014, cybersecurity firm F-Secure had found Xiaomi phones silently sending information like stored phone numbers, exchanged text messages and IMEI number of a handset to a remote server in China. Xiaomi later attributed the issue to a loophole in cloud messaging system and fixed it.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!