Researchers at Fidelis Cybersecurity and Exatel found that Maxthon frequently sends zip files to Beijing over HTTP and this contains a terrifying amount of data about users’ browsing habits. The file incudes, among other things, details of the sites visited by users, the applications they have installed, and what searches have been performed.

The data is contained within an encrypted file in called dat.txt, but the necessary decryption key can be easily calculated, researchers showed. They also demonstrated how the data could be intercepted as it made its way to China using a man-in-the-middle attack, and this data could then be used for malicious purposes.

The company behind the browser says that the data is collected as part of its optional User Experience Improvement Program (UEIP) and is completely anonymous. But security experts found that data was collected regardless of whether users opted in or out of the program.

Maxthon has responded to the allegations, saying it takes them “very seriously” and has “fully investigated this matter”.

(original article at: