Privacy alert: Maxthon web browser sends private data about users to China
In the world of web browsers, there are four or five big names to choose from but no end of smaller alternatives. One such browser is Maxthon, and security researchers have just discovered that this Chinese-produced browser is transmitting a wealth of data about users back to China.
Researchers at Fidelis Cybersecurity and Exatel found that Maxthon frequently sends zip files to Beijing over HTTP and this contains a terrifying amount of data about users' browsing habits. The ueipdata.zip file incudes, among other things, details of the sites visited by users, the applications they have installed, and what searches have been performed.
The data is contained within an encrypted file in ueipdata.zip called dat.txt, but the necessary decryption key can be easily calculated, researchers showed. They also demonstrated how the data could be intercepted as it made its way to China using a man-in-the-middle attack, and this data could then be used for malicious purposes.
The company behind the browser says that the data is collected as part of its optional User Experience Improvement Program (UEIP) and is completely anonymous. But security experts found that data was collected regardless of whether users opted in or out of the program.
Maxthon has responded to the allegations, saying it takes them "very seriously" and has "fully investigated this matter". CEO Jeff Chen says:
We at Maxthon take users’ privacy and information security seriously. We keep our users’ information secure and private. Maxthon has been in business for over 10 years and there has NEVER been a privacy leak to any third party. We are a truly international company with servers located in the U.S., EU, and Asia. We take endless efforts to improve our product to protect users’ security and privacy.
This is unlikely to be enough to calm the fears of those who have already been spooked by the discovery, however.