Maxthon Browser Sends Sensitive Data to China

Discussion in 'other security issues & news' started by ronjor, Jul 14, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    http://www.securityweek.com/maxthon-browser-sends-sensitive-data-china
     
  2. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    Scandalous. I am not surprised though.
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Below the results of additional investigations made by Polish portal "Zaufana Trzecia Strona"...translation to English by Google
    https://zaufanatrzeciastrona.pl/pos...i-to-wyjdzie-na-jaw-czyli-wyrzuccie-maxthona/
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    What did I tell you guys? I just knew these type of companies couldn't be trusted. I'm glad I dumped this browser like 10 years ago. I hope they will also investigate other popular browsers. Like I said before, when you think of it, the browser is the perfect spying tool, and it's very hard to detect if outbound connections are suspicious or not.
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Storm in a teacup. Maxthon aren't doing anything Google aren't.
     
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,962
    Location:
    Brasil
    Exactly. Besides, even if people use Firefox but use most antivirus, they're browsing history is also being sent somewhere else.
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Note that one guy saw a warning flag simply by observing the files created by Maxthon:
    http://forum.maxthon.com/index.php?/topic/18513-maxthon-permission-violation/
    and calling them on that was enough to get some clarification.

    Perusing Exetal's write-up (https://exatel.pl/advisory/maxthonreporten.pdf), it appears this was a phone home to host u.dcs.maxthon.com (likely detectable via DNS alone), using HTTP on port 80 (easy to capture/inspect in various ways), performing a POST (pushing data TO the server), that was "sent regularly", containing several more red flags that someone modestly knowledgeable about HTTP could identify through simple review. I hope most people here fall between "that's easy to spot" and "that's not that hard to spot". The part that most people here probably would consider hard to very hard was just the dat.txt decryption (locating/interpreting the code that performs the encryption, identifying the algorithm used, discovering the key). Which is a critical step to understanding what is being phoned home and what the implications are. However, that wasn't a step that needed to be accomplished in order to realize that the communication is a security/privacy issue that requires further investigation. Just seeing ueipdata.zip outbound when UEIP is not opted-into was enough. Well, actually, just seeing the phone home should have been enough to encourage "What is in there? Am I OK with what is being sent? I should have a look or ask someone else.".

    While there are scenarios where it would be hard to spot an outbound threat via web browser, the browser's own traffic shouldn't be amongst those. In part because any halfway decent browser will provide the means to inspect its own traffic (including HTTPS traffic). Any that don't simply shouldn't be used for anything requiring security/privacy.
     
  8. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    111
    exactly why an AV company was bought for over $1 Billion. They don't make money selling licenses, they make money selling our data.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Yeaa...if someone try to steal your money from left pocket it's quite understundable that of course you agree to do the same with right...realy?
    :doubt:
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Point me to where Chrome continues to send data to Google despite disabling that functionality. That's what the real problem here is, not the fact that it's sending said data.
     
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    That's why it's free for the end user. ;)
     
  12. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    I don't quite get the analogy, apart from the fact that I paid no money to use Maxthon.
     
  13. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    AFAIK Maxthon, like all freeware browsers data mines in some way. That's why they're free. Google just collects the information, equally surreptitiously in another way. As I said; FUD and storms in teacups.
     
  14. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    Except Google is pretty much transparent about it - advertising is how they make money from their free products.

    http://www.theregister.co.uk/2016/07/19/mathon_browser_privacy_concerns/

    Just to be clear though I agree with you that this is much ado about nothing.
     
    Last edited: Jul 19, 2016
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    I think Google is transparent about some of its data mining, they've not always been. I think a lot of the teacup storm (Lapsang? lol) is because Maxthon is perceived as 'Chinese' (the new enemy) for many Americans. Jeff Chen developed Maxthon in Hong Kong with US venture capital, moving to Beijing was a later stage. Maxthon even has offices in San Francisco.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    That's great but I'll stick with proven facts.

    Google data collection stops when it is disabled.
    Maxthon data collection doesn't stop, despite being disabled.

    Today's free software requires user trust, Maxthon just lost it.
     
  17. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Well, as long as you've got your 'proven facts' that's OK then. We wouldn't want any FUD to get in the way of 'proven facts'. Today's free software requires money for it to have any efficacy or relevancy. Regardless of your ontologically subjective 'proven facts' that's the way it is. Some of Google's data mining may stop when it's disabled. As far as anyone knows. That is just as much 'proven fact' as anything else you may want to speculate. That is if you actually have proof of your 'proven facts'. Which is doubtful. Google almost certainly stop some data mining when you check a box or two on an interface. Just how much Google's data collection actually stops in real actuality is a matter of conjecture when they probably get it in other equally surreptitious ways. Of course, I'm not sure how that ties in with your 'proven facts'. Which still remain to be proven.

    Will this or any other 'proven facts' stop me using Maxthon. Probably not.
     
  18. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    525
    This is why I stopped using browsers and security apps from China. I found 360 Browser connecting to suspisous hosts in China. Uninstalled.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Well, I'm talking about simply looking at connections made by the browser. Most people can't and won't use data sniffers to figure out what's being sent. Just by looking at connections there is no easy way to find out if you're being spied on.

    Better yet, I noticed that browsers like Firefox and Opera are automatically making connections to certain hosts, even when no websites are open and all ports were already closed. Most of them are probably related to so called "Content delivery networks". But I wouldn't be surprised if these companies are also monitoring website usage.

    That still doesn't make it right, or less sneaky.
     
  20. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    I suppose it depends if it's true or not. Almost every free app on the Internet monetises in some way, that's how come they're free. Maxthon is a very capable, fast and relatively secure browser. I imagine it costs a lot of money to develop it. There is a trend recently to demonise anything Chinese, although this appears to be predominantly an American trend.

    From Jeff Chen on the matter:

    'This week Exatel published a report saying that Maxthon collects sensitive user information and sends the URLs to the Maxthon server. We take the allegations from the Exatel report very seriously and have fully investigated this matter.



    User Experience Improvement Program (UEIP)

    Maxthon implements a User Experience Improvement Program (UEIP), a standard industry practice to improve the user experience. Users are supposed to have full control when it comes to opting in or out of the UEIP. If a user opts out, the UEIP is not supposed to collect information. However, upon investigating the situation based on the Exatel report, we located a bug in our 2007 code library which will cause the setting being ignored under some rare condition.We have immediately fixed this bug. We thank the Exatel team for helping us identify the problem.

    We’d like to note that the user information the UEIP program collects follows industry standard practice, and we share this practice with our users in the Maxthon UEIP policy. As pointed out in the Exatel report, the software information Maxthon collects is designed to improve the user experience by better configuring the software our users run in the system. Thanks to the UEIP program, we are able to analyze and solve configuration issues across all kinds of software. We will update our UEIP policy and provide even more transparency to our users.



    Sending URLs to the Maxthon server

    Exatel also reported that Maxthon sends URLs back to its server. Just as all URL security checks work, Maxthon’s cloud security scanner module (cloud secure) checks the safety of the websites our users visit. By implementing this URL security check, Maxthon sends URLs to its server to check if the website is safe or not. As a result of these security checks, we have prevented our users from visiting millions of fake and malicious websites since 2005. In our latest version, we will add an option for users to turn off the scanner.

    http://forum.maxthon.com/uploads/monthly_2016_07/security_scanner.thumb.png.b3fc128f23ec7fdb584281e831bf5a88.png



    Our Promise to Users

    We at Maxthon take users’ privacy and information security seriously. We keep our users’ information secure and private. Maxthon has been in business for over 10 years and there has NEVER been a privacy leak to any third party. We are a truly international company with servers located in the U.S., EU, and Asia. We take endless efforts to improve our product to protect users’ security and privacy.

    We are about to release our next-generation browser, the MX5, with enhanced features to protect user’s data and privacy.

    1. MX5 requires registration so that MX5 users are protected by a secure username and password.

    2. MX5’s Passkeeper feature provides triple encryption and multi-channel security using the AES256 algorithm. This algorithm strengthens the local database encryption and provides safer transmission to the cloud via https.

    3. MX5’s UUmail is a virtual email box that helps protect users real email addresses and get rid of spam emails.

    Please check www.maxthon.com for the latest information.'



    Jeff Chen (CEO of Maxthon)

    11:00pm EST, July 14, 2016

    ~ http://forum.maxthon.com/index.php?/topic/20208-security-and-privacy-are-top-priorities-at-maxthon/


    As I said; a storm in a teacup exacerbated by rabid Sinophobia. :isay:
     
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Looks like 'proven facts' aren't as proven as some claim. :argh:
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,962
    Location:
    Brasil
    Not a surprise at all.
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Proven facts are difficulty to swallow when you're too busy fanboying your favourite software facing criticism. Wouldn't want any of that evil criticism now, would we.

    What the original article claimed was a fact, end of story. There's no room for interpretation now, they have admitted it. A "bug" *cough* has been submitting data back to their servers.
    Let me quote you again.

    This is a false claim by you, as proven by this forum reply. You could have fanboyed up how this should be dismissed, or passed off as excusable, and some people here would have accepted your opinion and possibly agreed with you. But you didn't do that, instead, you made a claim that was incorrect. Sorry to break it to you.

    That's all great, this type of feature is standard in a browser. However, as an outsider investigating this browser, if I see this form of data in transit it means 2 security disasters are currently taking place.

    1) URLs are being sent unencrypted, this is a fact as one can see that URLs are being sent in the first place. That means anyone and everyone from you to the server can see what URLs you are visiting.
    2) URLs are not anonymized (hashed) in any way whatsoever. That means all URLs you visit can be associated to your IP address and a historical record can be created.

    Enjoy using your favourite security nightmare.
     
  24. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Accusing me of being a fanboy is admitting defeat. I was right about the storm in a teacup. Nice try at damage control, but no cigar.

    FYI , I don't actually use Maxthon that much anymore.

    As I said; a storm in a teacup, no real facts, and lots of hot air. Now, that's a fact!
     
  25. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I figured you had that in mind; you've commented on it before. Instead of lamenting, with you, the fact that basic connection information (remote IP Address and reverse DNS) alone provides an incomplete view which won't suffice for some assessments, I drew attention to some things which can help users develop a more complete picture. I don't want to see you, or anyone else, get hung up on... or even discouraged by... impediments that can be worked around.
    Just by looking at basic connection activity you answered the first question. You determined there is phone home activity. You probably saw signs that there are several different types of phone home. So you know there is something that you should investigate further.

    I don't know what Opera provides in terms of background traffic display, or Maxthon for that matter, but Firefox has a built-in network monitor. The Browser Console (Tools->Web Developer->Browser Console or Ctrl+Shift+J) will show background traffic (in addition to content tab traffic, which as you point out can be controlled while testing). How hard is it to look at requests shown there? That alone will answer many more questions. To see full URLs and requests/responses (including for HTTPS) you can use the built-in Browser Toolbox, or an extension, or external sniffer/MITM.

    Most people, from the general population that is, would say nothing we're talking about is easy, everything is too complicated and time consuming, etc. However, at some point we stop spending energy up on those poor souls who can't/won't and spend it on those who can/will (try, at least).
     
    Last edited: Jul 24, 2016
Loading...