Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Maxthon Browser Sends Sensitive Data to China

Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China. Researchers warn that the harvested data could be highly valuable for malicious actors.

Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China. Researchers warn that the harvested data could be highly valuable for malicious actors.

Developed by China-based Maxthon International, the browser is available for all major platforms in more than 50 languages. In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.

Web Browser Sent to Server in China

Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named ueipdata.zip to a server in Beijing, China, via HTTP. Further analysis revealed that ueipdata.zip contains an encrypted file named dat.txt. This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number.

While dat.txt is encrypted, experts easily found the key needed to decrypt it, giving them access to the information. Exatel researchers demonstrated how a man-in-the-middle (MitM) attacker could intercept the data as it travels from the client to the Maxthon server in China.

The ueipdata.zip file is created and sent to Maxthon servers as part of the company’s User Experience Improvement Program (UEIP). The role of the program is to help the developer understand its users’ needs and deliver better products and services. The vendor claims the program is voluntary and “totally anonymous.”

However, as experts discovered, the data is being collected even if users opt out of the UEIP. They are concerned that the information on browsing habits and the installed applications could be highly valuable for a malicious actor looking to conduct a targeted attack.

“Essentially, the information that is being transmitted back contains almost everything you would want in conducting a reconnaissance operation to know exactly where to attack. Knowing the exact operating system and installed applications, and browsing habits it would be trivial to send a perfectly crafted spearphish to the victim or perhaps set up a watering hole attack on one of their most frequented websites,” explained Fidelis Cybersecurity CSO Justin Harvey.

Some Maxthon customers who noticed that the ueipdata.zip file is created even when they opt out of the UEIP asked the company for clarifications. The vendor’s representatives said they only collect “basic data” when the feature is disabled – as opposed to “sensitive data” harvested when UEIP is enabled. However, according to researchers, sensitive data is sent to China regardless of how UEIP is configured.

Advertisement. Scroll to continue reading.

Exatel said it contacted Maxthon about its findings, but it hasn’t heard back from the vendor. Experts have tested the latest version of the web browser and determined that it still transmits the data even if UEIP is disabled. SecurityWeek has reached out to Maxthon for comment.

This is not the first time researchers have raised concerns about web browsers developed by Chinese companies. Experts at the University of Toronto’s Citizen Lab have identified security and privacy issues in several popular Chinese browsers, including QQ Browser, UC Browser and Baidu Browser.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.