English 中文
Close
QQ Tencent Data Security

Tencent Apologizes as QQ Found Collecting User Browser History

Wang Boyuan

posted on January 20, 2021 10:32 am

Facing allegations that QQ, a popular IM app in China, collects users' browsing history in the background without consent, Chinese tech giant Tencent issued a rare apology, and said that it has pushed an update to fix the issue.

Last week, a couple of security researchers noticed that the latest version of QQ for Windows tried to fetch user history files from Edge, Microsoft's first party browser for Windows 10, when it shouldn't at all since it's a standalone application to browser. Further reverse engineering revealed that QQ reads the same files from Google Chrome, Edge, 360 Browser, i.e. all Chromium-based browsers, and even tries to extract hyperlinks.

The code that ignited such behavior can be dated back to June 2018. TIM, Tencent's workplace version of QQ, also shared the code and thus collected user's browsing history as well. The researcher did not say if QQ/TIM fetch non-Chromium browsers such as Firefox.

While QQ and TIM was able to do so on Windows, a series of tests showed that platforms like macOS and mobile were not affected. As for WeChat, Tencent's primary mobile superapp, there is also no evidence yet that it exhibits such behavior.

Developer community V2EX and security forum Pediy were believed to be blocked on QQ soon after discussion threads on the two sites gained traction. A warning sign that reads "harmful website, you shall not visit" is displayed as the user clicks corresponding links inside the QQ chat window, both on desktop and mobile. 

Tencent explained that the QQ PC app was reading these data to help user reduce account security threats and avoid "malicious login attempts". 

While emphasizing that all the data the client app read would not be uploaded or saved, the QQ team wrote on Zhihu that "we feel deeply sorry for this, and we are looking to fix security issues in the past and will maintain user data regulation first in the future."

The two aforementioned sites are unblocked as of today. However, since the history version of QQ and TIM are still available and an in-app upgrade is not mandatory, users have to navigate to the Microsoft Store or QQ's official site to get the fix.

QQ Tencent Data Security