This could very well be a case of overreacting and far-reaching paranoia. However, it cannot be said enough that we are living in an age when protecting our data has become a top priority for most (and should be for all). That's why, when I read the details regarding the troubles now plaguing the Maxthon browser, I immediately wanted to warn people that it would be in their best interest to stop using the application.
What exactly has been discovered that could be so damaging to this underdog browser? Fidelis Cybersecurity reported that Poland-based Exatel uncovered the Maxthon browser regularly sends a file, via HTTP, named ueipdata.zip, to a server in Beijing, China. The ueipdata.zip contains a file called dat.txt which stores information about the following:
- Operating system
- Ad blocker status
- Homepage URL
- Browser history
- Installed applications (and their version number)
That's a rather daunting list of information to be sending to a third party server. Although it may add a level of comfort to know that the data sent out of your device is encrypted (via a symmetric Rijndael ((AES)) algorithm using a constant 16-byte key of "eu2o4[r04cml4eir"), it may (or may not) surprise you to know the experts that discovered the issue easily found the decryption key.
It's very interesting to know the reason why Exatel thought to look twice at a packet that was setting off their Deep Packet Inspection (DPI) alarms. As they monitored the transmission of data, they discovered a phrase which repeated several times during the packet transfer. That phrase?
Exatel initially thought this could have been a joke (since it was around April First). However, after further investigation, they discovered the packet was emanating from the Maxthon Browser, installed on three Exatel employees' computers, and heading straight for a server in China.
Could be innocuous
The abbreviation UEIP (from ueipdata.zip) stands for User Experience Improvement Program. This is part of a voluntary program (as claimed by the creators of Maxthon) that is purported to improve the browser experience by anonymously sharing information about:
- Hardware on which the browser is installed
- Operating system information
- Error and crash data reported during browser functioning
According to the developers at Maxthon, this program can be easily opted out of. Naturally, Exatel decided to test this by unchecking the option to participate in the UEIP program during installation.
The results of unchecking that option? The ueipdata.zip still transferred itself to the Chinese server and still contained the dat.txt file. The conclusion? Opting out of the program has no effect.
Even though the data is encrypted, there's a glaring issue. Exatel discovered just how easy it is to run a Man-In-The-Middle attack to on the Maxthon encryption library. It was very easy to figure out the Maxthon browser makes use of the MxEncode library and the encryption key was actually embedded in the Maxthon code. With that information, they created their own DLL library which imitated the original MxEncode library and were able to decrypt the data. They ran this on the browser that had opted out of the UEIP program and, to no one's surprise, the transmission to the server contained:
- The Windows service pack version
- A version of Maxthon browser
- The screen resolution
- The type and frequency of processor
- The local path Maxthon was installed in
After continued browsing, the file started collecting a list of installed software and precise version numbers contained on the host machine. Effectively, the opted-out machine was transmitting the very same data as the opted-in machines.
That, my friends, is a massive security issue.
What should you do?
This is one of the easiest solutions I've ever had to report. Uninstall Maxthon. Period. End of story. Remove it from all of your devices, desktops, laptops, and anything in between. It's great to have so many options, but sometimes those innocent sheep are truly malicious wolves. Although some might think the collected data harmless, it is still a breach in security that cannot be trusted.
Read the full report from Exatel.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.