UC browser accused cleartext user password

go by the end of the outbreak is spreading to the field of mobile Internet, a few days ago, the one claiming to be the primary hacker friends Tianya Post pictures and the truth you dare UC Internet? Post, claiming that UC browser to use clear text transmission of user passwords, leading to the third party can easily steal UC browser user login user name and password for each site.

The article gives a tutorial fake wireless hotspot AP without a password, via a laptop computer in Starbucks, McDonald's and other crowded areas, Ethereal Wireshark software installed on your computer, if the user uses the UC browser login to Gmail, Hotmail and other sites, the user submits the user name and password will be intercepted by Wireshark, the original secure HTTPS connection information, including user name and password has been expressly leak.In a later article, the user also tested other brands of mobile phone browser.

In order to verify the password UC browser whether it is transmitted in the clear, on my own computer were measured, PC with ADSL dial-up, and then the computer's wireless card to simulate a wireless hotspot AP, in the phone installed on the Apple Store App Store's latest UC browser V8.2.1.132, the mobile terminal through the WiFi hotspot Internet.

UC browser open on the phone, then visit the Gmail login enabled Wireshark to capture and listen on the computer, I tested the login user name williamlong password 1234567890123 , registration is completed, stop the packet capture and then proceed to the analysis, packet capture screenshot shows the user name and password as cleartext, communication protocol for HTTP connections that a server in Guangzhou, which proves the HTTPS secure connection was destroyed.

why HTTPS is safe?

the HTTPS (Hypertext Transfer Security Protocol, Hypertext Transfer Protocol Secure) is a common network transport protocol to provide encrypted communications of the client and server, HTTPS The main idea is in an unsafe create a secure channel on the network, to provide reasonable protection to monitor and man-in-the-middle attack.

we know that HTTP is unsafe, you can get a website account and sensitive information through the means of monitoring and man-in-the-middle attack, HTTPS, is designed to prevent the aforementioned attacks, and is considered safe.

such as the above case, by forging WiFi hotspots get caught listening, if the phone is to use the native browser, usually can not listen to the content of HTTPS access HTTPS content of communications are encrypted information , it is difficult to crack.But all HTTP access to information will be to acquire, use HTTP to access some private information, then there is the risk of privacy leakage, such as user search Baidu (Baidu only HTTP version), then search the key words will be third-party listen, in order to bring the risk of leaks, which is in May 2010, Google in the global deployment HTTPS encryption of the search have the HTTPS version of the Google search, mobile phone users in an insecure wireless hotspots search, its search The content will not be stolen.

visible ordinary HTTP browser is unsafe, while more secure than HTTPS browsing.The the

UC browser

from the above analysis we can use the phone built-in browser, insecure WiFi access HTTPS is still relatively safe, however, UC browser acceleration, a transit compression technology to achieve fast Internet access, saving user traffic, so all access to sort through the UC proxy server send UC browser client.When the user browser to log in to Gmail through the UC, UC browser will users to access the URL address and the information submitted is sent to a nearby UC server, loopholes here, UC browser mobile terminal and UC server communication using the HTTP protocol, and includes all information, including user name and password are transmitted in the clear, which makes the UC visit the communication between the server and UC can be monitored and capture a third party through this method to obtain the phone the user's account password and other sensitive information, a user by logging into any sites will be monitored, including mail, web site background, online banking, online payment.

for this vulnerability, the UC President, Products He Xiaopeng said the microblogging on after re-evaluate how to more fully protect the user's mobile Internet and information security, while providing a better mobile Internet security enhance the program.The recommendations of the

UC users

UC browser users, Internet access in public places such as McDonald's, Starbucks, try not to use the unknown WiFi hotspots, if used, they do not log in to, just simply browse the web, there is no security issue.If you need to log its accelerated proxy service should be shut down in the UC browser, and then log in again.