Connect with us

China Digital

Cybersecurity Researcher Discovers Unsecured Database with Millions of Chinese Social Media Chat Logs

Victor Gevers says it is his mission to “report vulnerable systems.”

Manya Koetse

Published

on

Image by iFeng Games (games.ifeng.com)

First published

Victor Gevers, a Dutch researcher at the cyber-security NGO GDI Foundation, has discovered that a Chinese database containing 364 million records including personal identity data, images, and chat conversations of PRC citizens, was left open for anyone to see who searched for its IP address.

Some of the information records allegedly come from apps developed by Chinese tech giant Tencent, including WeChat (Weixin), WeChat Wallet and QQ, but also from Alibaba’s Wangwang Message (阿里旺旺), which is the main chat program used on China’s most popular e-commerce site Taobao.

Gevers tweeted about his findings earlier this week (@0xDUDE). Journalist Yuan Yang reported about the issue in the Financial Times on March 4, writing that a large number of the records had the names and addresses of Chinese internet cafes on them.

Chinese internet cafes are legally required to install monitoring software on their computers (Wǎngbā guǎnlǐ ruǎnjiàn 网吧管理软件 “Internet cafe management software”). Well-known examples of this software are PubWin, Sicent (万象), Zuolun (左轮), or Fangzhu (方竹).

Gevers extensively tweeted about the open database over the past few days. On March 2nd, Gevers wrote on Twitter:

So this social media surveillance program is retrieving (private) messages per province from 6 social platforms and extracts names, ID numbers, ID photos, GPS locations, network information, and all the conversations and file transfers get imported into a large online database.”

On Tuesday, March 5th, Gevers also spoke to the Dutch ‘Foreign Desk’ (Bureau Buitenland) Radio 1 program, saying:

We assume that these messenger services are being screened by Chinese authorities, and of which [the information] is collected in one place. What we saw is that the profiles connected to GPS locations, device use, which wifi networks were used, Chinese ID numbers, ID photos – basically the full profile relating to the conversations. And then these conversations were sent out to various provinces across seventeen servers.”

On Twitter, he further stated:

Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name.”

On March 4th, Gevers also wrote that “[Chinese internet] is a space filled with open databases,” later tweeting that the same holds true for other countries, including the US.

News of the online leak was also picked up by various Chinese media outlets, including tech news site Driver China (驱动中国). Chinese news sites Sina, Sohu, Phoenix News, Techcrunch.cn, IThome.com, and Q Daily also reported about the issue, but these news articles were all pulled offline at time of writing, coming up with a ‘404’ error message.

One Chinese blog reporting on the issue did not only highlight that the database discovered by Gevers was accessible for people who knew of its IP address, but, noteworthy enough, also reported that it was available for viewing “free of cost.”

The issue was discussed on Weibo, where hashtags such as “360 million records leaked” (#中国3.6亿份聊天记录被泄露#) popped up with hundreds of views, but comments were soon taken offline.

As the annual Two Sessions (两会), China’s most important political event of the year, are currently taking place, Chinese social media is seeing increased censorship and control.

One of the comments that did get through on Weibo noted that as long as news reports were being ‘harmonized,’ it would be difficult for people to tell if this is “fake news” or not.

The fact that Chinese authorities screen digital data is no secret. In 2016, China’s Ministry of Public Security announced that messages posted on social media platforms such as Weibo, Baidu Tieba, or WeChat, could be identified as legal evidence and that China’s public security organs have the right to access electronic information and collect user data.

As a hacker and researcher, Gevers says his mission is to “report vulnerable systems” and sometimes “share what we learn.”

By now, the internet service provider behind the server has been warned about the open database, and within two hours after receiving the warning, the database was no longer accessible.

But how is such a leak possible in the first place? According to Gevers, the answer is quite straightforward: “The problem here is a knowledge gap. And that [knowledge] problem is not just an issue in China, it’s a worldwide problem (…) among people who build these kinds of systems,” he said on Dutch Radio 1.

Gevers’ research also made headlines in February of this year, when the Dutch hacker revealed that millions of personal record information data stored by the Chinese AI-based security software company Sensenets were openly accessible.

For more about the Sensenets leak, check here. To follow Victor Gevers on Twitter see twitter.com/0xDUDE.

By Manya Koetse

Spotted a mistake or want to add something? Please email us.

©2019 Whatsonweibo. All rights reserved. Do not reproduce our content without permission – you can contact us at info@whatsonweibo.com.

image_print

Manya Koetse is the editor-in-chief of www.whatsonweibo.com. She is a writer and consultant (Sinologist, MPhil) on social trends in China, with a focus on social media and digital developments, popular culture, and gender issues. Contact at manya@whatsonweibo.com, or follow on Twitter.

Advertisement
1 Comment

1 Comment

  1. Avatar

    Joey

    March 5, 2019 at 10:45 pm

    Lovely, Dutch researcher working to improve the security of China’s surveillance systems. Too young, too simple, sometimes naive…

Leave a Reply

Your email address will not be published. Required fields are marked *

China Digital

Cybersecurity Experts Warn: Flicking the V-Sign in Photos Could Give Away Your Fingerprint Data

V-sign selfie pictures could disclose personal information about your fingerprints, security experts warn.

Manya Koetse

Published

on

Our cameras are getting better, but that’s not always a good thing. Chinese internet security experts warn that peace sign photos could potentially be abused to collect fingerprint data.

The 2019 China Cybersecurity Week was held in Shanghai this week, and made it to the top trending topics on Sina Weibo today.

The topic attracting the attention of millions of Chinese web users is not China’s cybersecurity in general, but one that was discussed during the event, namely the potential privacy risks in making a V-sign on photos.

Chinese internet security experts at the conference warned that people are unaware that they could be giving away personal data information about their fingerprints when sharing photos of themselves making a peace sign.

If the side of the fingertips is facing the camera, and if there is not a lot of space in between the camera and the hand, it would potentially be possible to gather fingerprint data using photo enlargement tools and AI techniques.

Photo by Priscilla Du Preez.

The deputy director of the Shanghai Information Security Industry Association stated that photos displaying a fingertop-facing V-sign taken within 1,5 meter of the camera could potentially disclose 100% of one’s fingerprint information, China Press reports.

A booth at the conference giving information about fingerprint information leaking through V-sign photos. Photo via China Press.

Criminals could reconstruct fingerprint patterns of other people and abuse them in various means – basically wherever fingerprint information is used to confirm people’s identities (e.g. biometric door locks or fingerprint payment scanning).

Besides not disclosing fingerprint information in photos posted online, experts also warn people not to leave fingerprint information at machines without confirming their purpose and legality.

Fingerprint scanning is used for a multitude of purposes in China. Foreigners who arrived in China since 2017 will also be familiar with the policy of collecting foreign passport holders’ fingerprints upon their arrival in the PRC.

On Chinese social media, the topic “Making a V-Sign Could Leak Your Fingerprint Data” is one of the biggest being discussed today. On Weibo, the hashtag has gathered 200 million views at time of writing (#拍照比剪刀手会泄露指纹信息#).

Some commenters advise people on social media to make peace signs with the nail side of the fingers facing the camera. (That gesture, however, is deemed an offensive gesture in some nations.)

The V-sign is often used as a rather non-symbolic or cute gesture across in East Asia.

Although in many Western countries, the symbol is mostly known as the victory sign (“V for Victory”) as used during World War II, it entered mainstream popular culture in Japan since the 1960s and spread to other Asian countries from there.

This Time article explains how the gesture appeared in Japanese manga in the late 1960s, one of them titled V is the Sign (Sain wa ‘V’ / サインはV).

Amid the concerned Weibo users, some are not worried: “It’s ok,” one commenter writes: “Using a Beauty App smoothes out my skin anyway.”

There are also many commenters who are confused about the news, wondering what advanced photo camera quality and AI technique might implicate for future privacy risks concerning face recognition data and iris scanning software (“Should we also close our eyes?”).

Others offer a different solution to the unexpected V-sign issue: “Just flip the middle finger instead.”

By Manya Koetse

The images used in the featured image on this page come from 追星娱乐说.

Spotted a mistake or want to add something? Please let us know in comments below or email us. Please note that your comment below will need to be manually approved if you’re a first-time poster here.

©2019 Whatsonweibo. All rights reserved. Do not reproduce our content without permission – you can contact us at info@whatsonweibo.com

image_print
Continue Reading

China Digital

“Taobao Life”: This Feature Shows How Much Money You’ve Spent on Taobao

Some users just found out they could’ve bought a house with the money they’ve spent on Taobao.

Manya Koetse

Published

on

Over the past few days, a new Taobao feature that allows users to see how much money they have spent on the online shopping platform is flooding Chinese social media.

Taobao Marketplace is China’s biggest online shopping platform. Owned by tech giant Alibaba, Taobao was launched in 2003 to facilitate consumer-to-consumer retail.

For many people, Taobao shopping has become part of their everyday life. Whether it is clothes, pet food, accessories, electronics, furniture – you name it, Taobao has it.

Because buying on Taobao is so easy, fast, and convenient, many online consumers lose track of how much they actually spent on the platform – especially if they have been using it for years already.

Thanks to “Taobao Life,” users can now see the total amount of money spent on their account.

How to do it? First: go to Taobao settings and click the profile account as indicated below.

Image by whatsonweibo.com

Then click the top icon that says “Achievement” (成就).

Image by whatsonweibo.com

And here you find what you have spent in this account in total. On the left: the money spent, on the right: the amount of purchases.

Image by whatsonweibo.com

Since I’ve used started using this Taobao account for the occasional clothes shopping since 2016, I’ve made 122 purchases, spending 7849 yuan ($1140) – a very reasonable amount compared to some other Taobao users, who are now finding out they could have practically bought an apartment with the money they have spent on Taobao.

This user, for example, found out they spent over half a million yuan on Taobao ($75,500).

Image via whatsonweibo.com

This user below has spent over 1,1 million yuan on Taobao ($170,000).

Some people discuss all the things they could have bought with the money they have spent on Taobao over the years: “As soon as I saw the number, I wanted to cry,” one Weibo user writes: “What have I done?!”

Another person, finding out they have spent 230,000 yuan on Taobao ($33,400), writes: “This can’t be true! Surely this must be a mistake!?”

“If I wouldn’t have spent all this money on Taobao, I would’ve been rich,” others say.

The topic of Taobao’s total spending amount has become so popular on Chinese social media this week, causing so much consternation, that Taobao posted a message on its Weibo account on July 27, writing: “We heard you guys couldn’t sleep last night..”

Although many people are shocked to find out the money they’ve spent on Taobao, others console themselves with the thought that adding up everything they have spent on Taobao, they were actually ‘rich’ at some point in their lives.

 

By Manya Koetse , with contributions from Miranda Barnes

Spotted a mistake or want to add something? Please let us know in comments below or email us. Please note that your comment below will need to be manually approved if you’re a first-time poster here.

©2019 Whatsonweibo. All rights reserved. Do not reproduce our content without permission – you can contact us at info@whatsonweibo.com

image_print
Continue Reading
Advertisement
Advertisement

Support What’s on Weibo

If you enjoy What’s on Weibo and support the way we report the latest trends in China, you could consider becoming a What's on Weibo patron:
Donate

Facebook

Instagram

Advertisement

Contribute

Got any tips? Suggestions? Or want to become a contributor? Email us as at info@whatsonweibo.com.

Popular Reads