360 report Sogou collect user password evidence

November 7 Afternoon News, 360 companies held a media conference this afternoon, published Sogou collection of user privacy information and leakage of relevant information, said this time because of the dog leak and led to a major safety accident. However, Sogou to Sina Technology issued a statement insisted that Sogou browser no problem, this vulnerability event is completely 360 carefully planned, behind the scenes manipulated behavior.

360 company vice President Xiaodong said, November 5, 360 companies received feedback from users, said in the use of Personal QQ account to visit Sogou browser, you can see a large number of other users and passwords, the use of these accounts and passwords can be directly logged into these accounts. In these forums, a user posted on the details of the incident, especially how to obtain other user accounts and password detailed procedures, 360 companies immediately organize technical personnel to carry out the verification of this major safety incidents, verified that the relevant information is completely true.

Xiaodong said that Sogou leaks is a rare Internet security incident, the leaked user account information mainly includes three categories: login account and password, collection data and internet history:

First, after 360 company preliminary verification and according to the Netizen feedback incomplete statistics, the user account types that have been leaked are mainly: E-mail, social media, electric business, electronic payment, mobile application account, telecom operators, government, universities and enterprise internal management system.

Second, the access to the release of the leaked data is Sogou browser version 4.2, but the other version of Sogou browser login account and password, may be leaked to the use of Sogou Browser 4.2 version of the user computer. Sogou Browser Because of the automatic filling function is opened by default, and Sogou browser version 4.2 has been as a formal version in the promotion, so the security incident has a very wide impact.

Third, Sogou browser has tens of millions of users, the leakage of the account password classification is very wide, and the leakage time lasts at least 1 weeks. Currently, no other product has ever seen such large-scale user information leaks, which is a rare security incident in the history of internet browsers.

At the conference site, 360 to the media played a video (video address), the video shows that in a only basic application of the computer, download and install Sogou Browser, click Sogou Browser Account login system, using QQ account and password for registration and landing, double-click the system to exit. Then, click on the "smart form" in the toolbar, and then choose to manage the forms data, the page will pop up a form. Continue to click, there will be a large number of different users of the personal account password and other information. Video display, the use of these accounts and passwords can be entered into these users Taobao, mailbox, QQ and other systems.

360 technical personnel in the field analysis that causes leaks, is Sogou browser has the automatic filling function, this function will be the user's account number and password uploaded to the Sogou server. When users use the Sogou browser again, Sogou will collect the user account number and password from the server back to the browser to facilitate the user to use.

However, because the Sogou software in the synchronization of the design defects, users quit, will trigger the design error, causing the server will be a large number of other users of the account and password back to the browser, in addition to the account and password, but also include other users of the collection information, history and so on. The technician said.

360 technical staff suggest that for the user who has used Sogou browser automatic filling function, what must be done is the first time to modify all the login or saved account password, including but not limited to e-mail, social media, electricity, electronic payment platform, mobile phone application account, Government information management system, public utilities Information platform, telecommunications services, university internal management information systems, enterprise internal management system.

"And for companies providing Internet software services, users should be careful to collect privacy data, especially account passwords, and should provide a high level of security encryption measures to ensure that the user's personal information is not decrypted, as well as the separation of data between different users." In addition, Internet software should adopt a high level of software design architecture to ensure that personal information is not compromised by low-level software flaws. said the officer.

It is reported that the November 5 afternoon, the vulnerability report platform Wooyun (Dark Clouds) has released Sogou browser loopholes in the message. CCTV "24 hours", "News Live Room", "Hot scan", "Trading Time" and other columns in detail the reporter to verify the vulnerability information of the entire process.

Sogou response

For 360 of the action, Sogou company to Sina Technology issued an official statement (full text), said from November 5 onwards, 360 companies through careful planning and director, has manipulated the forum ID, micro-Bo and media, and use 360 navigation, window and other means, to Sogou browser again smear.

Sogou insists: "We promise, Sogou browser safe and reliable, and no loopholes, please be assured to use the majority of users." This is a 360-well orchestrated, behind-the-scenes operation. ”

Video of the evidence played against 360 media, Sogou company said that 360 of the video can not be its smear claim to provide any proof: as long as through the account synchronization function, in a computer with a QQ account login browser, while in B Computer Browser login with a QQ account, you can import form data, And then sync to a computer, this is the account synchronization mechanism of the normal functional characteristics.

Sogou said, after the incident, 360 security guards first issued a micro-blog to remind users, and then 360 officials in a short period of time the collective forwarding, and then 360 security guards to start the window to require users to stop using Sogou. 360 also posted on its website related news, the News of the list of many users out of the Sogou browser security vulnerabilities, but these users opinions are vest number, and released the explosion of the micro-Borg also very similar.

Sogou Company believes that in the card Food Forum on the roof of the dog after the post, 360 in the case of no contact with Sogou, confirm the nature of the problem, successively by publishing announcements in micro-blog, to the full network of users to play windows, the way to publish video, the details of the so-called loopholes, such acts violate the security industry rules, Its aim is to combat its rivals.