Maxthon Web Browser Sends Sensitive Data To China (securityweek.com)

← Back to Stories (view on slashdot.org)

Maxthon Web Browser Sends Sensitive Data To China (securityweek.com)

Posted by msmash on Thursday July 14, 2016 @02:40AM from the security-woes dept.

Reader wiredmikey writes: Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China. Researchers warn that the harvested data could be highly valuable for malicious actors. Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named ueipdata.zip to a server in Beijing, China, via HTTP. Further analysis (PDF) revealed that ueipdata.zip contains an encrypted file named dat.txt. This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number. Interestingly, In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.

119 comments

Min score:

Reason:

Sort:

Re:HaHa by Anonymous Coward · 2016-07-14 02:46 · Score: 0

Someone set up us the browser
color me surprised... by Anonymous Coward · 2016-07-14 02:47 · Score: 4, Insightful

that a 'secure' browser developed IN china, sends user data back to china.
1. Re: color me surprised... by Anonymous Coward · 2016-07-14 03:37 · Score: 0
  
  How is this different from safari, Firefox or chrome or than the geographical location?
2. Re: color me surprised... by sunderland56 · 2016-07-14 04:21 · Score: 2, Insightful
  
  How is this different from safari, Firefox or chrome or than the geographical location?
  Because it sounds much more scary to say "your private info is being sent to China" than "your private data is being sent to Mountain View".
  There's no *actual* difference, of course; but the press can run with this story, because China == scary and California == good.
3. Re: color me surprised... by Anonymous Coward · 2016-07-14 04:31 · Score: 0
  
  Well, China = place I can't sue if something goes wrong. MV = I can.
In today's news by Zontar_Thing_From_Ve · 2016-07-14 02:51 · Score: 4, Insightful

Security researchers discovered that a Chinese developed web browser you've probably never heard of that claims to have great security actually sends all kinds of personal information about your PC and web searches to a site in Beijing. Also, other Chinese developed web browsers that claim to have great security may do similar things.
1. Re:In today's news by The-Ixian · 2016-07-14 03:05 · Score: 5, Informative
  
  Not just Chinese companies...
  How about a NJ company too?
  https://www.comodo.com/home/br...
  Yeah, the same company behind superfish has a "secure" web browser too.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:In today's news by dc29A · 2016-07-14 03:07 · Score: 4, Insightful
  
  On the internet, if something is free, then the user is the product. Maxthon Browser is a free download. Draw your own conclusions ...
3. Re:In today's news by Anonymous Coward · 2016-07-14 03:10 · Score: 0
  
  I for one am shocked at this development.
  (though I have heard of it, very popular in China so had to test on it, and then quickly uninstall it from my device)
4. Re:In today's news by jellomizer · 2016-07-14 03:16 · Score: 1
  
  So Linux secretly sends data to china?
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
5. Re:In today's news by Anonymous Coward · 2016-07-14 03:22 · Score: 1
  
  then quickly uninstall it from my device
  Too late. You're pwned now.
6. Re:In today's news by Anonymous Coward · 2016-07-14 03:22 · Score: 0
  
  The best part is that you probably think the same thing can't happen in "your country."
7. Re:In today's news by Austerity+Empowers · 2016-07-14 03:31 · Score: 1
  
  So Linux secretly sends data to china?
  According to many, it IS a communist plot.
8. Re:In today's news by Anonymous Coward · 2016-07-14 03:49 · Score: 2, Funny
  
  So Linux secretly sends data to china?
  According to many, it IS a communist plot.
  No, the linux kernel sends all your activity to Linus at his alma mater in Finland hosted on a personal computer running Intel 80386. The 400 MB hard driver is almost full.
9. Re:In today's news by Anonymous Coward · 2016-07-14 04:23 · Score: 0
  
  Linux benefits from users indirectly, mainly in the form of goodwill and being used in business critical infrastructure, both of which lead to someone paying the people who develop Linux.
  So in some sense, the user is the product here, too.
10. Re:In today's news by thegarbz · 2016-07-14 04:27 · Score: 1
  
  On the internet, if something is free, then the user is the product. Maxthon Browser is a free download. Draw your own conclusions ...
  On the internet EVERYTHING is a generalisation.
11. Re:In today's news by zlives · 2016-07-14 04:38 · Score: 4, Funny
  
  yup my windows 10 would never do that.
12. Re:In today's news by chipschap · 2016-07-14 05:05 · Score: 1
  
  According to many, it IS a communist plot.
  This actually happened: someone where I used to work saw me carrying an OpenOffice manual and said, "What are you, a Communist? Around here we use Microsoft Office!"
13. Re:In today's news by s.petry · 2016-07-14 06:02 · Score: 1
  
  According to many, it IS a communist plot.
  This actually happened: someone where I used to work saw me carrying an OpenOffice manual and said, "What are you, a Communist? Around here we use Microsoft Office!"
  And how exactly did you respond to the fascist? "How does that Chocolate Mussolini taste?"
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
14. Re:In today's news by AutodidactLabrat · 2016-07-14 06:48 · Score: 1
  
  This actually happened: someone where I used to work saw me carrying an OpenOffice manual and said, "What are you, a Communist? Around here we use Microsoft Office!"
  And how exactly did you respond to the fascist? "How does that Chocolate Mussolini taste?"
  What response is possible?
  Like the " Drill Baby Drill" crowd, these religious opinions are immovable by facts, logic or good sense.
15. Re:In today's news by s.petry · 2016-07-14 06:58 · Score: 1
  
  I just like the Mussolini line and wanted to break it out :)
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
16. Re:In today's news by Anonymous Coward · 2016-07-14 07:32 · Score: 0
  
  So to stay secure, which browser are you paying for?
17. Re:In today's news by Etcetera · 2016-07-14 07:53 · Score: 1
  
  yup my windows 10 would never do that.
  Adwords is far more of a security risk than Windows 10's telemetry is, unless you have a keylogger installed. And for normal users, Chrome (with it's auto-save and auto-backup feature set) is just as bad.
  
  --
  Hire a Linux system administrator, systems engineer,
18. Re:In today's news by by+(1706743) · 2016-07-14 10:03 · Score: 1
  
  Yeah, but only if the wifi drivers are working...
  
  (Only joking -- I've never had a serious problem with wifi under Linux...)
19. Re:In today's news by war4peace · 2016-07-14 10:12 · Score: 0
  
  That driver is a perv, being hard all the time and shit. Does he drive stick?
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
20. Re:In today's news by gustygolf · 2016-07-14 19:35 · Score: 1
  
  Eh, Maxthon was pretty popular back in the IE6 days. It was one of the IE shells that added tabbed browsing.
  Also, quoth Wikipedia:
  
  Maxthon won CNET WebWare 100 Awards in 2008 and 2009, and was #97 in PCWorld's list of the 100 Best Products of 2011
  
  --
  "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
21. Re:In today's news by Anonymous Coward · 2016-07-15 00:48 · Score: 0
  
  Pah! For all I can tell, Windows 10 telemetry IS a keylogger.
22. Re:In today's news by cthulhu11 · 2016-07-17 19:28 · Score: 1
  
  Oh come now, NJ is -- unlike Taiwan and Tibet and the reefs they're destroying -- really just part of the PRC.
Not untrue by Sneeka2 · 2016-07-14 02:53 · Score: 3, Funny

the company boasted about its focus on [...] strong encryption.
Well... they are using encryption to send that data, apparently. Can't say they didn't warn ya.

--
Bitten Apples are still better than dirty Windows...
Its very secure by T.E.D. · 2016-07-14 02:53 · Score: 3, Insightful

It is a very secure web browser. If you run that web browser, the Government of China feels far more secure.
You westerners look at everything backwards.
1. Re:Its very secure by lucm · 2016-07-14 03:23 · Score: 4, Insightful
  
  Contrary to what most people think, government in China is far from being a large, single-minded entity. It's more like the EU; lots of small factions and local fiefdoms.
  In the vast majority of cases, industrial or internet "spies" work for private concerns. Of course there's a blurry line because the government has their fingers in everyone's pie in China, either directly or via state employees who leverage their access to public resources to build their own small empire. But it's rarely a simple Big Brother thing.
  
  --
  lucm, indeed.
2. Re:Its very secure by Anonymous Coward · 2016-07-14 04:16 · Score: 0
  
  If you run that web browser, the Government of China feels far more secure.
  I'd feel a lot more secure if I could keep tabs on my enemies, too.
3. Re: Its very secure by Anonymous Coward · 2016-07-14 04:34 · Score: 0
  
  This is true of every large organization. Including companies. It's not wrong to treat them as one entity under the label they chose.
Yes by Anonymous Coward · 2016-07-14 02:56 · Score: 1

Like any other software make the same with the origin country, Google, Microsoft, Symantec, etc... Information have a price today!
1. Re:Yes by nitehawk214 · 2016-07-14 03:20 · Score: 0
  
  Here come the China apologist astroturfers. "But but Google and Microsoft are just as bad!"
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
2. Re:Yes by Anonymous Coward · 2016-07-14 06:37 · Score: 0
  
  [citation needed]
3. Re:Yes by Anonymous Coward · 2016-07-14 06:44 · Score: 0
  
  Here come the China apologist astroturfers. "But but Google and Microsoft are just as bad!"
  But if you can't handle the truth, then you are the "apologist astroturfers" not the truth purveyor that you are trying to demonize.
  Not everybody is as stupid as you think.
4. Re:Yes by umghhh · 2016-07-14 07:38 · Score: 1
  
  I do not think GP needs any citation. The belief in deeper truth and higher moral stand is apparent though.
5. Re:Yes by war4peace · 2016-07-14 10:24 · Score: 1
  
  I hope someone would save Tartar sauce...
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
What browser? by sjbe · 2016-07-14 02:57 · Score: 3, Insightful

Security experts have discovered that the Maxthon web browser...
Hands up from anyone who actually has heard of this web browser prior to reading this article. Anyone?
(crickets)
That's what I thought...
1. Re:What browser? by Anonymous Coward · 2016-07-14 03:12 · Score: 0
  
  I have, unfortunately. And it sucks big time. Uninstalled as soon as I could.
2. Re:What browser? by Scoth · 2016-07-14 03:20 · Score: 2
  
  I remember it from years and years ago as an IE shell for 5.0, 5.5, and 6.0 that provided a lot of functionality that IE6 just didn't have - tabs, ad blocking, popup blocking, etc. It was hugely popular at the company I worked for at the time because we had an ActiveX IE-based CRM that required us to use IE, and it allowed a lot of features. Looks like they call it "Maxthon Classic" now.
3. Re:What browser? by ilsaloving · 2016-07-14 03:29 · Score: 1
  
  I did. I then saw that it was being written by a company in China, and noped in the opposite direction.
  China, both it's gov't and it's citizens, are so breathtakingly corrupt that I do my best to avoid them where at all possible, whether it's cyberspace or meatspace. I wouldn't trust any software that comes out of there, for the same reasons that I refuse to eat any produce that they make. If they arn't being duplicitous in their intentions, then they are cutting every conceivable corner to give them a price advantage, even if they know full well that those cuts can cause people to die.
4. Re:What browser? by Mashiki · 2016-07-14 04:00 · Score: 1
  
  Maxthon has been around for over a decade and got the best browser awards or best product of x year a couple of times. If you haven't heard of it you haven't been paying attention(aka the sites you read were pushing their own shit), and you were likely on the firefox bandwagon when it was getting all that attention.
  
  --
  Om, nomnomnom...
5. Re:What browser? by Jason+Levine · 2016-07-14 04:01 · Score: 1
  
  I used to use this way back before I switched to FireFox (and before Chrome was even released). Back then, it was one of the best IE wrappers to give you tabs and other functionality that more modern (at the time) browsers were adopting. I ditched it after I switched to FireFox (and, later, Chrome). I didn't even realize they were still around since IE itself now has tabs.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
6. Re:What browser? by thegarbz · 2016-07-14 04:31 · Score: 3, Insightful
  
  Hands up from anyone who actually has heard of this web browser prior to reading this article. Anyone?
  You're asking on Slashdot if anyone has heard of a browser that has been covered 5 times on slashdot before several of which were directly about that specific browser?
  *raises hand*
7. Re:What browser? by Anonymous Coward · 2016-07-14 05:23 · Score: 0
  
  Just the name sounds like Maxtor... remember? those HDD had the lifespan of a fly... or less. I would have never touched that setup file if I heard about it before this article xD
8. Re: What browser? by cunina · 2016-07-14 07:39 · Score: 1
  
  Well, you uninstalled as much of it as it would allow you to.
9. Re:What browser? by pepsikid · 2016-07-14 07:43 · Score: 1
  
  I loved Maxthon back in 2009. It had tons of usability and security features built-in. They abruptly changed the look and feel at some point, and I switched to firefox with about two dozen unsatisfying plugins.
10. Re:What browser? by Anonymous Coward · 2016-07-14 08:16 · Score: 0
  
  its the number one IE clone. you would sure know it if did front-end
11. Re:What browser? by Anonymous Coward · 2016-07-14 12:32 · Score: 0
  
  I used it back when it was called MyIE, written by a single Chinese guy as an IE skin. It was a massive improvement to IE and being based in Asia, gained wide spread adoption there and became very popular. I think at one point it was the most popular browser in Asia. It is not focused on USA or Europe and doesn't do marketing here, so it never had a lot of adoption in the states, just like they don't care about anything stamped with "Made in USA". Think of it like Opera. Lots of bleeding edge features for its time, but not used by the masses. I eventually moved to Firefox, but for awhile MyIE/Maxthon had better features, and still does a few things better. Had it not been IE based, I probably would have kept on using it.
  It sounds like you can block this profiling by changing security permissions to the file it creates. The spying is part of their "User Experience Improvement Program" which tons of companies implement. Microsoft, Google, Apple, Mozilla, Valve, all app stores, and most package managers all do the same things. The only news here is that the data might also be sent when the feature is disabled. This could be a bug or it could be by design. It's possible when the feature was initially designed that the developers decided to always have the browser do the collection and then the analyzing software ignores data when the 'do not track' setting is set. That is easier and faster to develop and they probably assumed the data was secure since it was encrypted. However in the security world, trusting 3rd parties isn't allowed. We will have to see how they respond.
  And maybe you should realize you don't know everything in the world. Even if Maxthon wasn't a popular browser (which it was), this would still be news. Less people have heard about that Canadian ISP that was injecting ads into websites.
12. Re:What browser? by Anonymous Coward · 2016-07-16 02:19 · Score: 0
  
  Exactly same journey. Back then there weren't many alternatives to IE if you ran Windows. Netscape had dissipated and Firefox was somewhat new. I remember trying Maxthon and a bunch of different alternatives. It was ok, had tabs and features that other people just mentioned. I just moved on to Firefox and then Chome.
13. Re:What browser? by Walter+White · 2016-07-17 14:32 · Score: 1
  
  It came preinstalled on my Lenovo laptop. I wondered why. Now I know.
So, what about other browsers. by cloud.pt · 2016-07-14 02:57 · Score: 3, Insightful

So are you telling me Chrome/Chromium, Firefox, Safari, IE/Edge, Opera and Vivaldi won't send sensitive data to the UK or the USA? Aren't those 2 countries also know to perform indiscriminate, bulk data collections for law enforcement use, even if there's no warrant?
I doubt a Chinese citizen is gonna be using my sensitive data any different than any other countries'. You should be worried if you're a China national, or if your're traveling to China and you happen to be using that browser for your hardcore anti-commie endeavors. JUST LIKE IF TRAVELING TO THE US AND DOING STUFF THEY DON'T LIKE ON ANY BROWSER.
There is a limit to hypocrisy and bias. Stop being biased. I hate what is being done to Chinese people's liberties as much as the next guy, but who the fck cares about a detail that also happens to be true in all other instances.
Now, of course, Russia would be a whole 'nother story. They happen to be mining data like rabbits procreate. I would be worried about that. Am I also being biased now?
1. Re:So, what about other browsers. by ArchieBunker · 2016-07-14 03:00 · Score: 3, Insightful
  
  If they did send anything sensitive we would know about it by now. I mean come on hundreds of millions of people use these browsers and not a single person has posted any packet sniffer logs or demonstrated any proof of malicious behavior. The neckbeards here love to claim Chrome does this but ask them to provide some details and they suddenly clam up.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
2. Re:So, what about other browsers. by CRCulver · 2016-07-14 03:01 · Score: 2
  
  So are you telling me Chrome/Chromium, Firefox, Safari, IE/Edge, Opera and Vivaldi won't send sensitive data to the UK or the USA?
  
  You can build Chromium and Firefox from source and see for yourself.
3. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 03:02 · Score: 0
  
  So are you telling me Chrome/Chromium, Firefox, Safari, IE/Edge, Opera and Vivaldi won't send sensitive data to the UK or the USA?
  Of course not. They send it all to Ireland, where it won't be illegal for the US/UK to snoop on it.
4. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 03:14 · Score: 2, Informative
  
  You can see it with wireshark, the omnibar in Chrome is actually a keylogger. It sends each and every keypress as an individual TCP packet. This is how Google is able to give you informed decisions on websites to visit while you are typing.
5. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 03:16 · Score: 0
  
  So are you telling me Chrome/Chromium, Firefox, Safari, IE/Edge, Opera and Vivaldi won't send sensitive data to the UK or the USA?
  You can build Chromium and Firefox from source and see for yourself.
  Yes, at this point nobody should be trusting a closed source browser, nor do people have any reason to have to trust a closed source browser since Firefox works very well.
6. Re:So, what about other browsers. by ArchieBunker · 2016-07-14 03:35 · Score: 2
  
  Typing into the omnibar is the same as typing into google.com. What is your point? Are my passwords being sent? Is my browser history being sent? Again, put up or shut up with proof.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
7. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 03:36 · Score: 1
  
  >I doubt a Chinese citizen is gonna be using my sensitive data...
  And you would be right. Because 'citizens in general' are not the ones who end up with your data. This stuff does not go to an IoT toaster in someone's house. The data is collected, stored, and then sold by Maxthon to whom knows who. And you're right, it is not neighbourhood folks/citizens.
  Straw man.
8. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 04:08 · Score: 0
  
  Can you prove that your sensitive info is *not* being sent?
9. Re:So, what about other browsers. by T.E.D. · 2016-07-14 04:10 · Score: 1
  
  So are you telling me Chrome/Chromium, Firefox, Safari, IE/Edge, Opera and Vivaldi won't send sensitive data to the UK or the USA?
  No, nobody is saying that. That's a strawman entirely of your own construction. But they aren't an open cesspool of centralized information thievery either (unless you pick up some malware, which is of course quite likely).
  But even if the implications of your comment were true (which it isn't), I'd be much more comfortable with my personal data going to countries that have rule-of-law than countries that don't. If a US-based person tries to blackmail you, you can have them arrested for that. If they do it to enough people long enough, they eventually *will* be arrested for that. If a Chinese person does it, the best you can hope for is to raise enough of a stink that they are forced to use some of their blackmail money to pay off a local official.
10. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 04:17 · Score: 0
  
  Are passwords being sent with the Maxthon web browser? If not, what's really the difference here?
11. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 05:12 · Score: 0
  
  Actually that's a good question, if you have a https://site.com/ link, is the password part being sent?
12. Re:So, what about other browsers. by Zontar_Thing_From_Ve · 2016-07-14 05:22 · Score: 1
  
  So are you telling me Chrome/Chromium, Firefox, Safari, IE/Edge, Opera and Vivaldi won't send sensitive data to the UK or the USA?
  Prove it. Or shut up. Crybaby arguments like "everybody else does the same thing" with no proof is meaningless.
  
  Here, bucko. Let me give you a real example about why you might not care what Maxthon does but Chinese people might. A few years ago I had a Chinese girlfriend. I mean she was born and raised in China and lived there most of her life. She told me a story about being in college. She shared a dorm room with 3 oe 4 other girls and one day the police called all of them in for questioning. Separately. Turns out that one of the roommates had some kind of vague link to Fulan Gong, like a relative was a member or something similar. My girlfriend told me that it was really scary for them and they had no idea at all that this girl had any kind of Fulan Gong link. If I remember correctly, the girl in question never returned to school after this. If you don't know what Fulan Gong is, look it up on Wikipedia. While they have some weird beliefs, do they strike you as a true national security threat to China? The Chinese government thinks they are, which is kind of funny since through some miracle nations such as the USA allow Fulan Gong to freely practice their beliefs and aren't in any danger of being overthrown as a result. I'm pretty sure that the Chinese government is looking for people who search for Fulan Gong or various other forbidden topics and the end result of people who look for forbidden topics is not likely to have a happy ending for those searchers.
13. Re: So, what about other browsers. by Anonymous Coward · 2016-07-14 06:38 · Score: 0
  
  Funny how you skipped all the other things it sends. Apologist.
14. Re: So, what about other browsers. by Anonymous Coward · 2016-07-14 09:01 · Score: 0
  
  Trying to reason with neckbeards is like talking to a wall.
15. Re: So, what about other browsers. by Anonymous Coward · 2016-07-14 09:31 · Score: 0
  
  browser history? The fact is that how do you know google isn't logging everything you are typing into the omnibar? Especially when it's already been said that each keypress is being sent to google.com. Again, how is this any different? We already know that google logs all your searches.
16. Re:So, what about other browsers. by war4peace · 2016-07-14 10:41 · Score: 0
  
  So it's okay for someone to take a dump in the middle of the driveway, because everyone else does it?
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
17. Re:So, what about other browsers. by war4peace · 2016-07-14 11:00 · Score: 0
  
  No idea what Fulan Gong is, but I know what Falun Gong is.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
18. Re:So, what about other browsers. by brunes69 · 2016-07-14 12:08 · Score: 1
  
  TBF, Chrome *does* sync your passwords *AND* browser history with Google by default after you have logged it in. You have to know enough to manually turn those features off.
19. Re:So, what about other browsers. by Anonymous Coward · 2016-07-14 12:35 · Score: 0
  
  Google is embedding itself into as many websites as it can. It doesn't need the browser to do the tracking. Not that I'm defending Maxthon, but Google has a bigger profile on you than Maxthon would have if you were using that browser.
20. Re:So, what about other browsers. by cloud.pt · 2016-07-15 03:49 · Score: 1
  
  Um... it's called gag orders. Do you know why Google doesn't have a Warrant Canary? EXACTLY: they got gagged before the idea even surfaced. They have inferred they have been gagged multiple times, they are even making lawsuits against the state for disclosing this, together with Microsoft. You won't believe proof provided by the companies themselves and former employees of your top security agency, so why would I bother trying to prove anything to you.
21. Re:So, what about other browsers. by cloud.pt · 2016-07-15 03:52 · Score: 1
  
  But you can't emulate Google's back-end, and you can't inspect the certificate authorities those browsers allow by default. You are missing the point. And even on Chromium, there is a reason why you can ad sync features and avoid them when compiling: sync features are Google's proprietary code. Just like Google Play Services in Android.
22. Re:So, what about other browsers. by cloud.pt · 2016-07-15 03:55 · Score: 1
  
  But those browsers trust on root CA's that are compromised... You're missing the whole point, because you're looking in the wrong place. If you go all orthodox and say "but it's not the browser directly doing this!", you're just hiding from the truth - those browsers use broken features most people deem secure by default. And as I said before, when you use sync and allow data sharing as soon as the browser starts asking around (and it will ask, those browsers are built around Google services, no matter how open they might sound), you will start sending anonymous data to be sniffed by authorities. You just trust them so much your bias flies when you hear the china-man is doing the same.
23. Re:So, what about other browsers. by cloud.pt · 2016-07-15 03:57 · Score: 1
  
  That's one email server based on the news. Google's certificate keys, used for transport (and they hop around before they reach Ireland), are likely in the hands of the authorities for longer than we all think.
24. Re:So, what about other browsers. by cloud.pt · 2016-07-15 04:00 · Score: 1
  
  Wait, isn't that exactly the same thing Google does with your data, sometimes even without proper consent? If not sell it, use it themselves for further enhancing their core business, you know, Ads... That thing everybody avoids like the plague and is the root of all browser-based malware infection (considering flash is pretty dead with the new paradigms on browsers disallowing them by default...). Yet you still don't see any major browser distribution shipping with adblock by default, do you?
25. Re:So, what about other browsers. by cloud.pt · 2016-07-15 04:04 · Score: 1
  
  I never said that. I say this particular dump is being blown out of proportion, like most China-bound american cyberwarfare claims. Influencing people's opinion is no longer an art, it's commonplace, and nobody seems to notice the writings on the wall.
26. Re:So, what about other browsers. by cloud.pt · 2016-07-15 04:12 · Score: 1
  
  Let me give you a real example about why you might not care what Maxthon does but Chinese people might.
  I'm gonna quote myself to explain you exactly why I stopped expecting much from what came after that line:
  
  You should be worried if you're a China national, or if your're traveling to China and you happen to be using that browser for your hardcore anti-commie endeavors.
  At least I didn't stop at "bucko". Or "prove it or shut up", or any other of your "flammy" ways to keep a dialogue. Muricanism is killing slashdot. Real Americans talk Sense&Reason, not Redneck-Texan-Nationalist-bull. And for the sake of the conversation - I understand your ex-girl's problem completely. But this Maxthon issue has nothing to do with it or at least is not directly related enough to even apply. They collect data because everybody does it and there's monetization to be done from it, not because they are being commanded by their state to do so like it's happening in Russia. People in China unfortunately have to know better than to do any risky browsing without an overseas VPN (they shouldn't have to, but it's the way the world works now), because that's the only way they'll be safe from their own government. But not from others'.
27. Re:So, what about other browsers. by cloud.pt · 2016-07-15 04:20 · Score: 1
  
  Exactly. Thank god someone who knows the least bit of contemporary distributed applications to know that all the defaults in the browsers mentioned are the problem. People will argue "but you can disable that" a lot, but they seem to forget the amount of non-tech savvy people that exist in the world. And what that lack of savvy entails to their privacy.
28. Re:So, what about other browsers. by cloud.pt · 2016-07-15 04:22 · Score: 1
  
  Another guy who knows his stuff. Google does need the browser actually - it uses the default settings shipped with those browsers for instantly "infecting" 99% of the user base with their warrant canaray-less "encrypted" transport, including hardcoded programmed keys, unsafe root CAs for authentication of https, and whatnot.
29. Re:So, what about other browsers. by CRCulver · 2016-07-15 09:22 · Score: 1
  
  You can't inspect the certificate authorities those browsers allow by default.
  
  When building Firefox from source (I don't know about Chromium), you can easily choose the authorities that you wish to allow.
In People's China... by BenJeremy · 2016-07-14 02:58 · Score: 0

...Web Browser browses you!
Went to the App Store - Apple by Anonymous Coward · 2016-07-14 02:59 · Score: 0

It's there. The last update was April 30, 2015. And it has a 2.5 star rating out of 5. Skimming over the reasons for the bad reviews, it's just a shit browser.
I'm gonna wait and see if Apple removes it. I thought their walled garden would spare us from shit like this.
1. Re:Went to the App Store - Apple by Anonymous Coward · 2016-07-14 04:01 · Score: 0
  
  Exactly *when* did you think their walled garden would protect you? This is hardly the first time hearing about something like this. Yeah, yeah, Android is just as bad and probably worse. But it's 2016. If you still think apps in the app store can be trusted 100%, you haven't been paying attention.
of course it does.. by Anonymous Coward · 2016-07-14 03:01 · Score: 1

Why wouldn't it.
Every browsers send your data somewhere in the world, be it china or the US, it's just as bad.
1. Re:of course it does.. by Anonymous Coward · 2016-07-14 04:02 · Score: 0
  
  My browser sends my search queries to the selected search engine. This browser sends nearly everything about your computer to a third party in China. Yeah, that sounds "just as bad".
Forks and their security by LichtSpektren · 2016-07-14 03:03 · Score: 5, Informative

Firefox and Chromium* have a lot of forks, but I would advise against using them. Mozilla and Google have world-class security experts working for them, and when you use generic Firefox/Chrome, you get their security updates the moment they're released out, not when your fork-team's got around to setting them out.

Suppose you want to use Chromium as a base but are concerned about your privacy with respect to Google, so you don't want to use Chrome. That's perfectly understandable, but using Opera or Vivaldi or Maxthon instead is insanity, since they're all black boxes and you're not really sure what they're doing with your data (case in point, TFA). There's a 100% FLOSS fork of Chromium in the works called Iridium but I cannot recommend it yet because I don't know enough about the competency of their team, but it's definitely worth looking into. Until then, just use vanilla Chromium and rig your own auto-update system.

As for Firefox, there's a great extension called Privacy Settings that can optimize all your config flags for privacy (i.e. turn off telemetry, network prefetch, etc.) in just one click. I would recommend however that you keep dom.storage.enabled on, since a lot of websites are unusable without it. Also be wary that security.ssl.require_safe_negotiation needs to be toggled if you need to connect to an insecure website, such as the USPS's.

*For those unaware: Chromium is the base of Chrome. The only difference between them is that Chrome is shipped with an auto-updater and plugins for Flash and Widevine.
1. Re:Forks and their security by T.E.D. · 2016-07-14 04:11 · Score: 2
  
  Mozilla and Google have world-class security experts working for them, and when you use generic Firefox/Chrome, you get their security
  Why didn't you also mention Microsoft here? *innocent blink*.
2. Re:Forks and their security by LichtSpektren · 2016-07-14 04:31 · Score: 4, Interesting
  
  Mozilla and Google have world-class security experts working for them, and when you use generic Firefox/Chrome, you get their security
  Why didn't you also mention Microsoft here? *innocent blink*.
  Several reasons.
  
  1. Firefox and Chrome(ium) are cross-platform. IE/Edge and Safari are not.
  2. Microsoft might have a competent security team (wouldn't bet my life on it though), but their company policy inhibits their browsers from being secure. For instance, it is well known that they share vulnerabilities with certain three-letter agencies before pushing the patches downstream.
  3. Given the Windows 10 debacle, anyone who leaves auto-updates on for any Microsoft OS is either uninformed or a fool.
  4. Even on Windows, there is no particular reason to use IE/Edge instead of Firefox/Chrome(ium). Microsoft's browsers are slower and have less and worse extensions.
  5. Firefox and Chromium are FLOSS, which means (a) you can audit the code yourself for any backdoors/spyware and then compile it yourself, and (b) Mozilla and Google would have to be exceptionally daft to attempt to hide any backdoors/spyware. IE/Edge are proprietary and closed-source, which means they're just as much black boxes as are Maxthon and Opera.
3. Re:Forks and their security by zlives · 2016-07-14 04:42 · Score: 1
  
  clap clap, well said and without the WinX vitriol.
4. Re:Forks and their security by Anonymous Coward · 2016-07-14 11:26 · Score: 0
  
  As OpenSSL taught us, open source projects are more than capable of hiding severe exploits in plain sight. Just because the source is open, doesn't mean that many people have actually bothered to go and review it.
  Have you ever tried to do a security code review, on a large projects codebase? It's a monumental task. You pretty much require an intimate understanding of every element of the project, that you're reviewing.
  If anything, projects being open source are more likely to lull people into a false sense of security, through assuming the code has been well reviewed (and look at your average open source project...the coding standards are utterly abysmal, in almost all open source projects, outside of really mission critical ones like the Linux Kernel - not much professional reviewing going on in most open source); and the same assumption would also lead to a variant of 'bystander effect', where people who might consider reviewing the code, may assume someone else has already done it, because the code is open source (saving them the enormous expenditure of time/effort necessary to perform the review...a big deterrent).
  A project being open source is not good enough. You need a dedicated team of paid professionals, to review the source (because people just aren't going to do a security code review, of high enough quality, for free...you get what you pay for).
  "Open source = code reviews and high security", is a dangerous myth that should be stifled - other assumptions that lead from that "surely someone wouldn't try to hide an exploit in plain sight, in an open source project?", are even more dangerous still, given that the prevalence of such assumptions within the open source community, is precisely what would enable such exploits (exploits which there is already precedent of...), since that assumption would act as a deterrent to looking/reviewing.
5. Re:Forks and their security by Anonymous Coward · 2016-07-14 16:32 · Score: 0
  
  ...AND VICE-VERSA...
  All closed source binaries/applications are also being analyzed by a third party security company.
  There are so many cases where analyzing the disassembly code is easier than C/C++ source.
  As seen on this article whre Exatel analyzes a closed source browser from China. Bugs and privacy related "features" are uncovered even without the source code.
Made in China, enough said by Anonymous Coward · 2016-07-14 03:09 · Score: 0

Not a bad browser except for the Made in China fact. So that alone made me as skeptical as if it were developed in Iran or North Korea.
So what by JustAnotherOldGuy · 2016-07-14 03:33 · Score: 0

Big deal, Chrome probably does the same thing, only with the endpoint being at a server Google owns.
And Win 10 with Edge? If you think that thing doesn't ship data by the borkload back to the lads at Redmond, then you're very, very naive. They even tell you it's shipping data back, except it's the browser AND the OS. I doubt you could so much as move the mouse without Microsoft knowing it.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:So what by Anonymous Coward · 2016-07-14 04:04 · Score: 0
  
  Are you really too stupid to tell the difference between "probably does it" and "can be demonstrated as doing it"? Proof or shut up.
You're already using Windows by Anonymous Coward · 2016-07-14 03:34 · Score: 0

so why would you care? Maxthon ain't got nothing compared to the troves of data Microsoft have on you.
1. Re:You're already using Windows by zlives · 2016-07-14 04:43 · Score: 1
  
  because you may not be using windows.
Maxthon is only a shell for IE... by Anonymous Coward · 2016-07-14 03:42 · Score: 0

So there's your problem.
knock. knock. by Anonymous Coward · 2016-07-14 04:16 · Score: 0

hears the internet police knocking on the door...
Let's put it this way by Anonymous Coward · 2016-07-14 04:24 · Score: 0

Which browser doesn't send information back to the browser's originator?
1. Re:Let's put it this way by zlives · 2016-07-14 04:44 · Score: 1
  
  lynx?
Eyeroll by sjbe · 2016-07-14 04:42 · Score: 2

You're asking on Slashdot if anyone has heard of a browser that has been covered 5 times on slashdot before [slashdot.org] several of which were directly about that specific browser?
Wow, 5 whole articles over 12 years with most barely mentioning a browser that literally almost nobody uses. How did I ever miss that... [/sarcasm]
1. Re:Eyeroll by The-Ixian · 2016-07-14 07:05 · Score: 1
  
  You are missing your opening tag. Therefor I am not able to parse your sarcasm.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Eyeroll by thegarbz · 2016-07-14 09:06 · Score: 1
  
  How did I ever miss that... [/sarcasm]
  Inattention, bad memory, dunno. They were all incredibly popular with many stories.
Hosts make this data exfiltration ez 2 stop by Anonymous Coward · 2016-07-14 05:57 · Score: 1

Adding these 3 entries to your custom hosts file will block the data transmission:
0.0.0.0 u.dcs.maxthon.com
0.0.0.0 dcs.maxthon.com
0.0.0.0 maxthon.com
* Whether this "optional transmission" of data (full OR partial) is ON or OFF...
APK
P.S.=> So, IF I read the source article's research .pdf file here https://exatel.pl/advisory/max... correctly, that oughtta do it... apk
For more speed & security via hosts files by Anonymous Coward · 2016-07-14 06:02 · Score: 0

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).
Gets data via 10 security sites.
Ads rob bandwidth/speed, security (malvertising), privacy (tracking) + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively. Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2... & ads = 40% of the size.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... )
Re: HaHa by cormandy · 2016-07-14 07:35 · Score: 1

All your dat.txt are belong to us.
Facebook data goes to China on demand too by Anonymous Coward · 2016-07-14 08:15 · Score: 0

FBI moles reap that shit. Best kept not-secret in the history of Zucker bergs.
There's an easy solution to this problem... by DugOut · 2016-07-14 08:45 · Score: 1

Just email the two or three people who use it and tell them to stop using it.
Not really underground stuff by Ilgaz · 2016-07-14 09:19 · Score: 1

10M downloads on Android Google Play store. Of course, one star reviews started coming in.
Firefox by Ilgaz · 2016-07-14 09:27 · Score: 1

I enable every kind of telemetry, crash report on Firefox since they politely ask me to opt in and they are pretty clear about what they do with the data.
Chrome, p0Edge and Opera (after becoming Chrome)? Never.
Re:HaHa by Anonymous Coward · 2016-07-14 20:57 · Score: 0

All your database are belong to us.