Thousands of apps made using code that originates with Chinese internet giant Baidu feature a massive security flaw that enables hackers to easily access personal data from the users, including locations, search terms, sites visited and device ID numbers.

This data is being collected and transmitted insecurely due to code found in a software development kit users to design apps for Android and Windows phones, originally used by Baidu and now adopted by numerous other firms.

According to security researchers at Citizen Lab, part of the University of Torontos Munk School of Global Affairs, millions of users, primarily in China, have likely been affected by the data leaks, which saw huge amounts of data sent without encryption and, in some cases, in plain text.

Among the apps designed using the faulty SDK are Baidus own web browsers for Android and Windows, as well as those developed by other companies. Altogether, apps and browsers made using the SDK have been downloaded hundreds of millions of times.

Baidu is one of the biggest tech companies in China, and operates the most used search engine in China, among other services. According to Alexa, the search engine homepage is the most visited website in China, and the fourth most visited website worldwide.

According to Citizen Lab, while some elements of the SDK have been fixed by Baidu after they were notified of the security flaws, some issues remain unresolved and Baidu currently has no plans to fix them, including the fact that the address bar contents can be accessed while being input.