Another Chinese browser accused of hoarding user data

Jul 14, 2016 16:00 GMT  ·  By

Two security firms have confirmed that the Maxthon web browser collects sensitive user information and sends it to its servers, even if the user opts out of such behavior.

According to reports from Exatel and Fidelis Cybersecurity, the issue resides in the current implementation of User Experience Improvement Program (UEIP), a feature included with Maxthon browsers.

UEIP lets the browser manufacturer collect analytics information about how users utilize their product. All browsers do it, including the big ones, such as Firefox and Chrome, but to a certain extent.

Collecting more data than normally needed

Exatel and Fidelis claim that Maxthon is collecting more information that what would normally be considered acceptable.

The list includes OS version, screen resolution, CPU type, CPU speed, amount of memory installed, location of the Maxthon executable, ad blocker status, browser homepage URL, the user's entire browser history, all of their Google searches, and a list of other applications installed on their system, including their version numbers.

Exatel says it found all of this data inside a file called ueipdat.zip, sent regularly from the user's browser via HTTP to Maxthon's servers in China.

Inside this ZIP, researchers found an encrypted file called dat.txt. Exatel says it was able to crack the encryption, an AES-128-ECB cipher, using the passphrase eu3o4[r04cml4eir found hard-coded inside the Maxthon browser's binary. Dat.txt contained all the data mentioned above.

A bug or an intentional design?

Maxthon did not directly reply to Exatel's inquiries, but users confronted the company on its forum. Here, a Maxthon rep responded by saying that, when users opt into the UEIP program, the browser collects all the above sensitive data, but when they opt out, it only collects basic data regarding the browser's status, but not any user-specific information.

According to Exatel and Fidelis, this is not true, and in their tests, after opting out, the Maxthon browser kept sending the same data to the browser maker's servers.

Softpedia has reached out to Maxthon's representatives, extending them the courtesy of answering this criticism in the public forum.

Previously, security and privacy researchers from Citizen Lab discovered a similar behavior in other Chinese browsers such as QQ Browser (March 2016), Baidu Browser (February 2016), and UC Browser (May 2015).

UPDATE [July 14, 2016]: We received the following statement from Jeff Chen, Maxthon CEO: "Maxthon takes these allegations from the Exatel report very seriously and is fully investigating the matter."

UPDATE [July 22, 2016]: Jeff Chen, Maxthon CEO, has provided a more in-depth answer to the Exatel report, which you can read below.

Maxthon Statement

Photo Gallery (2 Images)

Maxthon web browser
dat.txt showing a list of installed applications and their versions
Open gallery