Maxthon Web Browser Sends Sensitive Data To China

Reader wiredmikey writes: Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China. Researchers warn that the harvested data could be highly valuable for malicious actors. Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named ueipdata.zip to a server in Beijing, China, via HTTP. Further analysis (PDF) revealed that ueipdata.zip contains an encrypted file named dat.txt. This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number. Interestingly, In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.

Forks and their security

[LichtSpektren]

Firefox and Chromium* have a lot of forks, but I would advise against using them. Mozilla and Google have world-class security experts working for them, and when you use generic Firefox/Chrome, you get their security updates the moment they're released out, not when your fork-team's got around to setting them out.

Suppose you want to use Chromium as a base but are concerned about your privacy with respect to Google, so you don't want to use Chrome. That's perfectly understandable, but using Opera or Vivaldi or Maxthon instead is insanity, since they're all black boxes and you're not really sure what they're doing with your data (case in point, TFA). There's a 100% FLOSS fork of Chromium in the works called Iridium but I cannot recommend it yet because I don't know enough about the competency of their team, but it's definitely worth looking into. Until then, just use vanilla Chromium and rig your own auto-update system.

As for Firefox, there's a great extension called Privacy Settings that can optimize all your config flags for privacy (i.e. turn off telemetry, network prefetch, etc.) in just one click. I would recommend however that you keep dom.storage.enabled on, since a lot of websites are unusable without it. Also be wary that security.ssl.require_safe_negotiation needs to be toggled if you need to connect to an insecure website, such as the USPS's.

*For those unaware: Chromium is the base of Chrome. The only difference between them is that Chrome is shipped with an auto-updater and plugins for Flash and Widevine.

Re:In today's news

[The-Ixian]

Not just Chinese companies...

How about a NJ company too?

https://www.comodo.com/home/br...

Yeah, the same company behind superfish has a "secure" web browser too.

Re:So, what about other browsers.

You can see it with wireshark, the omnibar in Chrome is actually a keylogger. It sends each and every keypress as an individual TCP packet. This is how Google is able to give you informed decisions on websites to visit while you are typing.