Maxthon Spyware-like Behavior Reported

[JohnTHaller]

I posted on PortableApps.com but thought folks could benefit here, too:

According to Polish security researchers at Exatel, Maxthon Cloud currently engages in multiple spyware activities. An English translation of the report can be found here: https://exatel.pl/advisory/maxthonreporten.pdf

User ksdev on Hacker News summarizes it:

TL;DR: It doesn't matter if you agree to join "User Experience Improvement Program" in Maxthon or not - the browser regularly sends this data to Beijing servers:

- Windows service pack version,
- screen resolution,
- Maxthon version,
- CPU freq,
- Maxthon path,
- adblock info,
- startup site address,

and the most important:

- ADDRESS OF EVERY VISITED SITE - full history, with every query entered in google,
- every ~5 reports - FULL LIST OF INSTALLED SOFTWARE (with exact versions).

This is from the HN discussion located here: https://news.ycombinator.com/item?id=12094930

The above data is purportedly sent via a channel which can be intercepted by a third party and decrypted due to errors in the Maxthon encryption code.

The report is from the new MX5 series browser which PortableApps.com doesn't yet package (still 4.4) but the 4.9 release of it is listed on PFC here: http://www.portablefreeware.com/index.php?id=301

[Specular]

That HN item is criminally undervoted if what it's claiming is correct.

[JohnTHaller]

That HN item is criminally undervoted if what it's claiming is correct.

It's likely related to the title of "Maxthon browser is a spyware" causing people to think it is a low-quality post. It was made when the only item available was in Polish likely by someone for whom English is not their first language.

[Specular]

That HN item is criminally undervoted if what it's claiming is correct.

It's likely related to the title of "Maxthon browser is a spyware" causing people to think it is a low-quality post. It was made when the only item available was in Polish likely by someone for whom English is not their first language.

dang could probably be contacted for a title change, though I'm not sure it would help visibility by now. Or it could just be resubmitted using a modified URL.

In your position it's a hard call as there's only one report of this, though it certainly reads as plausible and there are other user reports of the file. Couldn't this be verified by using the decryption key mentioned in the PDF to decrypt the zip's contents?

Also, this is relevant to the Portable Freeware DB entry.

[smaragdus]

@JohnTHaller
Do you know whether previous versions of Maxthon (3 & 4 series) also have the same behaviour or only the 5 series are affected? As far as I can remember I have read an article about similar behaviour of another Chinese browser- UC Browser.

[JohnTHaller]

@JohnTHaller
Do you know whether previous versions of Maxthon (3 & 4 series) also have the same behaviour or only the 5 series are affected? As far as I can remember I have read an article about similar behaviour of another Chinese browser- UC Browser.

I'm looking into whether 4.4 is involved or not as that is the last version we distributed. No one should be using 3.x at this point as it's unsupported and insecure.

We now know that Maxthon, Qihoo 360 Secure Browser, QQ Browser, UC Browser, etc all engage in spyware-like behavior due to various security analyses. It seems to be an ongoing pattern with all of the Chinese browsers. This doesn't bode well for Opera if the Qihoo folks wind up getting the purchase past regulators.