A Chinese-made internet browser, used by millions worldwide, is collecting sensitive data from its users and sending it back in an encrypted zip file disguised as an image, security researchers announced Thursday.
“Essentially, the information that is being transmitted back contains almost everything you would want in conducting a reconnaissance operation to know exactly where to attack,” wrote Fidelis Cybersecurity CSO Justin Harvey in a blog post.
The exfiltration was discovered, using Fidelis tools, by one of the company’s partners: Polish security firm Exatel. The browser is made by Chinese cloud firm Maxthon. The firm has between three-quarters and one percent of the global browser market, mostly in China, but with millions of users around the world.
Maxthon’s PR contractors did not immediately respond to an email requesting comment.
The discovery highlights the opacity of installed code. For the ordinary user downloading software from the Internet, there is almost no way to tell what data it may be collecting or where it might be sent.
“Often we’re installing software onto our endpoints at home and at work, but we’re not verifying that the code is doing what it is purported to do. Visibility into both the network and endpoints has become critical for organizations,” writes Harvey.
“There is still relatively low awareness of these practices,” he added, urging users to “trust but verify” software.
The Maxthon browser sends back information including the operating system being used by the user’s computer, the type/speed and installed memory of the CPU, the web address of each and every page the user visited, including Google searches and a list of all installed applications including their version numbers.
“Knowing the exact operating system and installed applications, and browsing habits it would be trivial to send a perfectly crafted spearphish to the victim or perhaps setup a watering hole attack on one of their most frequented websites,” writes Harvey.