Maxthon browser vulnerable to Chinese cyberespionage and MitM attacks

Researchers spotted the China-based browser sending sensitive data to a server in Beijing.
Researchers spotted the China-based browser sending sensitive data to a server in Beijing.

Researchers at Fidelis Cybersecurity and Poland-based Exatel found that the Maxthon browser sends sensitive data to a browser in Beijing and is prone to man-in-the-middle (MitM) attacks.

The browser regularly sends a small encrypted file containing the user's entire browsing history, including Google searches, queries and a complete list of software installed on the user's computer, all without the prior authorization of the user, according to a recent report released by the firms.

The file is created as part of the Maxthon User Experience Improvement Program (UEIP), which is designed to understand users' needs to deliver better products and services. The program is supposed to be voluntary, but researchers found the information was being sent regardless of the user's decision to opt in or out of the program. 

A Maxthon customer who opted out of the program noticed the file being sent and asked a representative on the company's official browser forum for clarification of the file's contents, to which the representative responded that the firm will “only collect basic data such as browser start condition and not the data that involves the user's privacy,” according to screenshot of the conversation in the report.

“What adds irony to the whole matter, is that the creators of the browser inform on their website that it was created with the thought of ensuring security and privacy to the users in the light of scandals related to violation of the privacy by the American National Security Agency (NSA),” the report said.

Researchers said many users appear to be fond of the browser specifically because the creators don't share data with the NSA.

In addition, due to an error in the cryptographic architecture, the data which is transmitted may be intercepted and decrypted by any potential attacker, researchers said.

Using this information, if attackers obtained the user's email they could send a message, authenticated by its content, containing an attachment armed with a remote code execution exploit that could compromise the user's device, the report said.

The data collected could be analyzed for identifying targets based on the URLs users browse and applications on their devices which can be cross referenced with a vulnerability database to learn what sort of spearphishing attacks would work against them, Fidelis Cybersecurity Chief Security Officer Justin Harvey told SCMagazine.com via emailed comments.

“I personally believe it is possible that this information was being collected as a means of surveillance, for both foreign and domestic use cases,” said Harvey.

Harvey also said that it's illegal to bypass the “Great Firewall” domestically in China and that people looking to use Facebook, Twitter, Google, or any other banned sites, need to use forbidden VPNs. The browser also provides a way for China to monitor citizens' Internet usage overseas, he added.

“Regardless of which network is being used, the way that the Maxthon browser is set up today, it will send their browsing history back to Maxthon's HQ,” Harvey said. “How could the Chinese government not have access to this treasure trove of information?”

The browser is available for all major platforms in more than 50 languages and it is unclear how long Maxthon has been collecting this information.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS