2017-07-20 12:19:46

Third-party search engines have been found to provide access to files Baidu’s cloud users thought to be private.

On Tuesday, an article published on messaging app WeChat revealed a loophole in the Baidu’s Wangpan cloud storage service: Users who have generated “public” links to share documents, photos, and videos with their friends could have those files accessed by complete strangers using websites specifically designed to search content on Baidu’s cloud.

Net users often use these search engines to find and download pirated content, such as TV shows and movies, being stored on Baidu Wangpan. “I use them because I can conveniently access digital books for free,” Wang, a doctoral student from Xuzhou in eastern China’s Jiangsu province, told Sixth Tone. He declined to give his full name, saying he was ashamed of pirating content.

On Thursday afternoon, many of the search engines Sixth Tone attempted to access appeared shut down or displayed a variation of the message: “This domain is under review and will be made accessible pending its approval. Please come back tomorrow.”

However, one third-party search engine — Te Baidu, no relation to the larger company — was still up in running. When Sixth Tone entered the search term “contacts,” the site returned hundreds of results, including a Microsoft Excel file of a phone book belonging to the education bureau of Guiyang County, in central Hunan province. The document contained the phone numbers and academic affiliations of over 1,000 cadres and teaching faculty.

Tan Changzheng, a retired teacher whose name was among the first listed in the phone book, told Sixth Tone he felt “disgusted” upon learning about the breach of privacy.

When Sixth Tone attempted to access Te Baidu later in the day, the site returned the “under review” message.

In a statement published to their Weibo microblog account on Wednesday, Baidu referenced the WeChat article that broke the news and stressed that content in its cloud cannot be leaked if users don’t click the public share option, which is offered as a convenience but does not guarantee privacy. Instead, the company recommended that users sharing sensitive content select the private share option, which encrypts the file and requires a password for access. The warning “Anyone can see and download this” is and has always been displayed next to the public share option, though as of this week it now appears in red.

“We understand deeply that the key to our product is safeguarding users’ privacy,” Baidu’s statement read. “We will be stepping up our efforts to limit these third-party search sites.”

China’s first national cybersecurity law, which went into effect on June 1, is widely viewed as a new milestone in the country’s ongoing efforts to regulate internet access. One of its provisions states that a net user may not violate the privacy of another, though no punishment is specified.

“Baidu Wangpan must offer better technology to protect its users’ online safety,” Ding Jinkun, an attorney at DeBund Law Offices in Shanghai, told Sixth Tone. “Otherwise, the resulting loss in market share will be a bitter pill to swallow.”

Editor: David Paulk.

(Header image: A woman accesses the Baidu Wangpan cloud storage service, Shanghai, July 20, 2017. Wu Huiyuan/Sixth Tone)