Connect with us

China Digital

Cybersecurity Researcher Discovers Unsecured Database with Millions of Chinese Social Media Chat Logs

Victor Gevers says it is his mission to “report vulnerable systems.”

Manya Koetse

Published

on

Image by iFeng Games (games.ifeng.com)

First published

Victor Gevers, a Dutch researcher at the cyber-security NGO GDI Foundation, has discovered that a Chinese database containing 364 million records including personal identity data, images, and chat conversations of PRC citizens, was left open for anyone to see who searched for its IP address.

Some of the information records allegedly come from apps developed by Chinese tech giant Tencent, including WeChat (Weixin), WeChat Wallet and QQ, but also from Alibaba’s Wangwang Message (阿里旺旺), which is the main chat program used on China’s most popular e-commerce site Taobao.

Gevers tweeted about his findings earlier this week (@0xDUDE). Journalist Yuan Yang reported about the issue in the Financial Times on March 4, writing that a large number of the records had the names and addresses of Chinese internet cafes on them.

Chinese internet cafes are legally required to install monitoring software on their computers (Wǎngbā guǎnlǐ ruǎnjiàn 网吧管理软件 “Internet cafe management software”). Well-known examples of this software are PubWin, Sicent (万象), Zuolun (左轮), or Fangzhu (方竹).

Gevers extensively tweeted about the open database over the past few days. On March 2nd, Gevers wrote on Twitter:

So this social media surveillance program is retrieving (private) messages per province from 6 social platforms and extracts names, ID numbers, ID photos, GPS locations, network information, and all the conversations and file transfers get imported into a large online database.”

On Tuesday, March 5th, Gevers also spoke to the Dutch ‘Foreign Desk’ (Bureau Buitenland) Radio 1 program, saying:

We assume that these messenger services are being screened by Chinese authorities, and of which [the information] is collected in one place. What we saw is that the profiles connected to GPS locations, device use, which wifi networks were used, Chinese ID numbers, ID photos – basically the full profile relating to the conversations. And then these conversations were sent out to various provinces across seventeen servers.”

On Twitter, he further stated:

Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name.”

On March 4th, Gevers also wrote that “[Chinese internet] is a space filled with open databases,” later tweeting that the same holds true for other countries, including the US.

News of the online leak was also picked up by various Chinese media outlets, including tech news site Driver China (驱动中国). Chinese news sites Sina, Sohu, Phoenix News, Techcrunch.cn, IThome.com, and Q Daily also reported about the issue, but these news articles were all pulled offline at time of writing, coming up with a ‘404’ error message.

One Chinese blog reporting on the issue did not only highlight that the database discovered by Gevers was accessible for people who knew of its IP address, but, noteworthy enough, also reported that it was available for viewing “free of cost.”

The issue was discussed on Weibo, where hashtags such as “360 million records leaked” (#中国3.6亿份聊天记录被泄露#) popped up with hundreds of views, but comments were soon taken offline.

As the annual Two Sessions (两会), China’s most important political event of the year, are currently taking place, Chinese social media is seeing increased censorship and control.

One of the comments that did get through on Weibo noted that as long as news reports were being ‘harmonized,’ it would be difficult for people to tell if this is “fake news” or not.

The fact that Chinese authorities screen digital data is no secret. In 2016, China’s Ministry of Public Security announced that messages posted on social media platforms such as Weibo, Baidu Tieba, or WeChat, could be identified as legal evidence and that China’s public security organs have the right to access electronic information and collect user data.

As a hacker and researcher, Gevers says his mission is to “report vulnerable systems” and sometimes “share what we learn.”

By now, the internet service provider behind the server has been warned about the open database, and within two hours after receiving the warning, the database was no longer accessible.

But how is such a leak possible in the first place? According to Gevers, the answer is quite straightforward: “The problem here is a knowledge gap. And that [knowledge] problem is not just an issue in China, it’s a worldwide problem (…) among people who build these kinds of systems,” he said on Dutch Radio 1.

Gevers’ research also made headlines in February of this year, when the Dutch hacker revealed that millions of personal record information data stored by the Chinese AI-based security software company Sensenets were openly accessible.

For more about the Sensenets leak, check here. To follow Victor Gevers on Twitter see twitter.com/0xDUDE.

By Manya Koetse

Spotted a mistake or want to add something? Please email us.

©2019 Whatsonweibo. All rights reserved. Do not reproduce our content without permission – you can contact us at info@whatsonweibo.com.

Manya Koetse is the editor-in-chief of www.whatsonweibo.com. She is a writer and consultant (Sinologist, MPhil) on social trends in China, with a focus on social media and digital developments, popular culture, and gender issues. Contact at manya@whatsonweibo.com, or follow on Twitter.

Advertisement
1 Comment

1 Comment

  1. Avatar

    Joey

    March 5, 2019 at 10:45 pm

    Lovely, Dutch researcher working to improve the security of China’s surveillance systems. Too young, too simple, sometimes naive…

Leave a Reply

Your email address will not be published. Required fields are marked *

China Digital

TikTok’s In-Video Search Function (And How to Activate It)

TikTok shows a glimpse of what in-video search is going to look like in the future.

Manya Koetse

Published

on

What is TikTok’s new in-video search function and how to activate it?

Twitter’s most awesome WeChat guru Matthew Brennan recently posted about an “in-video search function” launched in the Chinese social video app TikTok (抖音). (Click here to read about the difference between the Chinese and overseas version of TikTok).

As shown in a video posted by Brennan, the function allows TikTok users to select the face or clothes of a person appearing in a short video to search for other videos or images containing the same person or clothes.

The ‘vision search’ is a powerful new function within the super popular app.

The idea is that it becomes easier than ever for Tiktok users to find (and buy!) a piece of clothing, that perfect handbag, or even a snack featured in a video.

It also helps users to quickly find other videos in which an online celebrity appears. The function ultimately is an additional feature that keeps users scrolling and shopping within the app – increasing app traffic – as long as possible.

On September 16, Chinese media reported about the function as a “powerful” new tool that greatly strengthens the functionality of the popular short video app.

The function might not immediately seem completely new to Chinese app users; like Google Image Search, Baidu and Taobao also have similar functions (百度识图, 淘宝识图).

On e-commerce platform Taobao, for example, you can take a photo of an item you want (e.g. a certain snack as in example below) and Taobao will try to find the exact same product and list the online stores where you can buy it.

But TikTok’s in-video search function is on a whole new level; it does not require users to scan or upload a photo at all. It gives an indication of what visual search will be like in the future.

Whatever video comes by in your TikTok stream, you only need to click the “search” function (识图), select the part of the video you want to search for (you can drag the square from area to area), and TikTok will find the product or face you’re looking for – as long as there are comparable products/faces (it does so very fast).

Very much like Taobao, TikTok will recommend various (in-app) online stores where the product can be purchased.

Want to try out the function? For now, it only works in the Chinese version of the app and is still in the ‘testing phase’ and does not work with all videos.

Make sure you have an updated version of TikTok.

1. Go to “me” (我) page within TikTok
2. Tick the three lines in the top right corner
3. Go to the last option in the sidebar menu titled “lab” (实验室)
4. Activate the function (image below).

So now if you spot a dress you like and would like to buy, press the ‘search’ button on the right of a video, select the dress, and TikTok becomes like your personal shopping assistant looking for similar dresses for you.

Tiktok makes shopping supereasy.

This really makes online shopping more addictive than ever, and also makes it more difficult for people in online videos to hide where they bought their clothing, or what other videos they are in.

Read more about Tiktok here.
Read more about Chinese apps here.

By Manya Koetse

Spotted a mistake or want to add something? Please let us know in comments below or email us.

©2019 Whatsonweibo. All rights reserved. Do not reproduce our content without permission – you can contact us at info@whatsonweibo.com

Continue Reading

China Digital

Didi Riders Can Now Have “Verified Party Members” Drive Them Around

Party-building 3.0? Didi has got it covered.

Manya Koetse

Published

on

First published

This is Party-building in the new era: Didi now allows users of its Premier Car Service to let a verified Party member drive them to their destination.

On September 20, as the People’s Republic of China is nearing its 70th-anniversary celebrations, the country’s most popular taxi-hailing app Didi published an article on Weibo and WeChat explaining its verified Party Member Driver Program.

Recently, riders in Beijing may have noticed something different at Didi’s Premier Car service, which is called “Licheng” 礼橙专车 since June of last year.

Some of Licheng’s drivers now have a red background to their profile photos accompanied by a Communist Party emblem. Upon clicking the profile of these drivers, customers will see that this driver is a Party Member Driver (“党员司机”) – meaning that the Didi driver’s status as a Party member has been verified through Didi’s “Red Flag Steering Wheel” program (红旗方向盘项目) that was set up in November 2018.

Didi’s “Red Flag Steering Wheel” program (红旗方向盘项目) that was set up in November 2018. Image via Guancha.

Didi writes that these drivers can also be identified as Party members through the red sticker on the dashboard at the passenger side, which literally says “Party member driver.”

The article explains that the recent project is an effort to contribute to China’s Party-building in the digital era, and that Didi aims to establish a Party member community within its company.

This car is driven by a Party member (image via Didi/Weibo).

The company is apparently planning to make this community a lively one, as it promises to provide online and offline activities that will help these drivers stay up to date with the latest developments within the Party, and that will increase their “Party awareness.”

Starting this month, Didi will reportedly also offer “patriotic classes” to all of its drivers via its online classroom program.

China has more than 88 million Party members. Party membership does not come overnight; those who want to become a Communist Party member need to attend Party courses, pass written tests, be recommended by other members, and pass a screening (read more here).

As for now, riders cannot manually pick to have a Party member as their driver; a nearby driver will be automatically selected when they order a car – if it is a Party member, they will know straight away from the driver’s profile.

For now, Didi has set up “mobile Party branches” in Beijing, Shanghai, Shenzhen, and a number of other cities.

On Weibo, some see the initiative as a marketing move from Didi’s side. “If you hear the driver is a Party member, you know it’s reliable. It’s a good thing.”

The past year was a tough year for Didi, after the murders of two young women by their Didi driver made national headlines, causing outrage and concerns about customer’s safety when hailing a car through the Didi company.

By Manya Koetse

Spotted a mistake or want to add something? Please let us know in comments below or email us.

©2019 Whatsonweibo. All rights reserved. Do not reproduce our content without permission – you can contact us at info@whatsonweibo.com

Continue Reading
Advertisement
Advertisement

Support What’s on Weibo

If you enjoy What’s on Weibo and support the way we report the latest trends in China, you could consider becoming a What's on Weibo patron:
Donate

Facebook

Instagram

Advertisement

Contribute

Got any tips? Suggestions? Or want to become a contributor? Email us as at info@whatsonweibo.com.

Popular Reads