The Maxthon web browser has the ability to gather user information and then send it to its servers, even if the user opts out of that procedure, researchers said.
The issue is in the current implementation of User Experience Improvement Program (UEIP), a feature included with Maxthon browsers, said researchers at Exatel and Fidelis Cybersecurity.
Maxthon is a freeware web browser for Windows, OS X and Linux, developed by Chinese company Maxthon Ltd based in Beijing.
UEIP lets the browser manufacturer collect analytics information about how users utilize their product. All browsers do it, including the big ones, such as Firefox and Chrome, but to a certain extent.
Exatel and Fidelis said Maxthon is collecting more information than what would be acceptable.
The Maxthon browser has anywhere from .75-1% of the global browser market, and has been estimated to be 2-3% of China’s own domestic browser market, according to a report on Fidelis. Total global user count is estimated to be in the hundreds of millions.
The list includes OS version, screen resolution, CPU type, CPU speed, amount of memory installed, location of the Maxthon executable, ad blocker status, browser homepage URL, the user’s entire browser history, all of their Google searches, and a list of other applications installed on their system, including their version numbers.
Exatel found all of this data inside a file called ueipdat.zip, sent regularly from the user’s browser via HTTP to Maxthon’s servers in China.
Inside this ZIP, researchers found an encrypted file called dat.txt. Exatel said it was able to crack the encryption, an AES-128-ECB cipher, using the passphrase eu3o4[r04cml4eir found hard-coded inside the Maxthon browser’s binary. Dat.txt contained all the vital data.
Maxthon did not directly reply to Exatel’s inquiries, but users confronted the company on its forum. Here, a Maxthon rep responded by saying that, when users opt into the UEIP program, the browser collects all the above sensitive data, but when they opt out, it only collects basic data regarding the browser’s status, but not any user-specific information.
Exatel and Fidelis said that is not true. In their tests, after opting out, the Maxthon browser kept sending the same data to the browser maker’s servers.
“Maxthon takes these allegations from the Exatel report very seriously and is fully investigating the matter,” said Maxthon Chief Executive, Jeff Chen in a Softpedia report.