You are here

Maxthon Spyware-Like Behavior - Looking For Additional Confirmations

2 posts / 0 new
Last post
John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 36 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Maxthon Spyware-Like Behavior - Looking For Additional Confirmations

According to Polish security researchers at Exatel, Maxthon Cloud currently engages in multiple spyware activities. An English translation of the report can be found here: https://exatel.pl/advisory/maxthonreporten.pdf

User ksdev on Hacker News summarizes it:

TL;DR: It doesn't matter if you agree to join "User Experience Improvement Program" in Maxthon or not - the browser regularly sends this data to Beijing servers:

- Windows service pack version,
- screen resolution,
- Maxthon version,
- CPU freq,
- Maxthon path,
- adblock info,
- startup site address,

and the most important:

- ADDRESS OF EVERY VISITED SITE - full history, with every query entered in google,
- every ~5 reports - FULL LIST OF INSTALLED SOFTWARE (with exact versions).

This is from the HN discussion located here: https://news.ycombinator.com/item?id=12094930

The above data is purportedly sent via a channel which can be intercepted by a third party and decrypted due to errors in the Maxthon encryption code.

As this story unfolds, I'll be looking for independent confirmation. If the above is correct, we will be immediately pulling Maxthon from our app directory and pushing out an update to users with the warning.

UPDATE: It appears the research was done on Maxthon 5 (which would likely apply to the current 4.9 release from their site as well). Maxthon Portable packaged as a PAF by the Maxthon France group that we make available is only at version 4.4 so this may not apply.

Gord Caswell
Gord Caswell's picture
Offline
Last seen: 1 month 2 weeks ago
DeveloperModerator
Joined: 2008-07-24 18:46
User Agent 4.4.5.10

In that report, the initial User Agent is shown on page 4 as being 4.4.5.10. On the last page, the final paragraph states that as of 4.9.3.1000 the behaviour still existed.

Accordingly, based on that, IMHO, we may be safer with pulling the browser now.

[EDIT] I'm going to see if I can get confirmation in a VM.

Log in or register to post comments