It’s probably not a great idea to use China’s top web browsers. After slamming the security of the UC and Baidu mobile browsers, researchers from Citizen Lab at the University of Toronto have now identified serious problems with both the Windows and Android versions of Tencent’s widely-used QQ Browser.
According to the security researchers, Tencent’s browsers transmitted personal user information back to the company’s headquarters with either no protection at all, or poorly implemented encryption that could easily be broken.
The researchers theorized these could be deliberate backdoors, aimed at expanding state surveillance.
Get Data Sheet, Fortune’s technology newsletter.
Both versions sent back the addresses of visited pages, along with identifying data about the phones or computers being used for the surfing. The Android version of the QQ Browser also sent back search terms that the user typed into the address bar, again with poor security protection.
What’s more, the researchers said, there were holes in the software-update mechanisms for both browsers, making it possible for someone to send malware to the user’s device.
Why does all this matter? Firstly, the Android version of the QQ Browser is used by almost half of all Chinese mobile users. Here’s what the researchers said:
This insecure data transmission means that any in-path actor (such as a user’s ISP, a coffee shop WiFi network, or a malicious actor with network visibility across any of these type of access points) would be able to acquire this personal data by collecting traffic and performing any necessary decryption.
It’s not just random attackers that users of these Chinese browsers need to be concerned about. As Citizen Lab demonstrated last May, Edward Snowden’s leaks showed that similar vulnerabilities in the UC Browser (used by over half a billion people in China and India) were known to intelligence services, and used to spy on people.
For more on privacy and national security, watch:
Suspicious of the similarities between the security holes in the QQ, UC and Baidu browsers, the researchers said they asked Tencent whether there was a underlying reason. They received no answer, but Tencent did strengthen some of the browsers’ security mechanisms after being notified of them — though not to the satisfaction of the researchers.
In their paper, the researchers suggested the flaws could result from poor industry norms and/or pressure from the authorities, who want to be able to easily spy on citizens. After all, China has numerous regulations on tech firms, demanding that they aid authorities.
“It is reasonable to hypothesize that company officers put in place wide-reaching data gathering functionalities either at the request of, or to appease the preferences of, China’s security services,” they wrote. “More research is needed to evaluate this hypothesis.”
