Chinese browser Maxthon grants admin rights to malware: researchers

2 min read

Security-focused Chinese web browser Maxthon contains a vulnerability that could give hackers administrative rights on Windows computers, granting them control over an operating system, cybersecurity researchers have found.

Why it matters: Maxthon International, the browser’s developer, claims that 670 million internet users worldwide utilize its software as their default browser. TechNode was unable to verify the claim.

  • The company had a market share of around 1% in China at the end of 2016 and has pushed gain traction in the international market since 2017.
  • Maxthon has not been free from controversy. The company was previously accused of sending personal data from international users back to China, including browsing history and information about their computers.
  • The company positioned its browser as being secure and private following Edward Snowden’s 2013 revelations that detailed actions of the US National Security Agency’s once-clandestine global data collection program.

Details:  The vulnerability could give malware, and thereby malware authors, administrative rights on Windows computers they have already infected and on which the browser is installed, researchers from US-based cybersecurity firm Safebreach said a report shared with TechNode. Administrative rights allow a user to install, modify, and delete software and files on a computer.

  • A Maxthon spokesperson told TechNode on Thursday that the company works closely with security firms to “fix any issues,” adding that the vulnerability alone “will not cause security problems but could be used as privilege breach in a carefully crafted security attack.”
  • The vulnerability affects Maxthon 5 browsers, the latest major release by the company.
  • The bug also could allow attackers to execute malicious code every time a computer is started up.
  • The nature of the vulnerability makes it difficult for security products to detect, the researchers said.
  • Safebreach reported to issue to Maxthon in September, with the company confirming its existence later that month, Safebreach said.
  • Maxthon has issued a fix in a beta version of the browser, with an official release being pushed out this week, the company wrote in an email.

Context: In 2016, Polish researchers found that Maxthon browsers sent details about users’ operating systems, homepages, web and search history, and installed applications back to servers in China, albeit in encrypted form.

  • Despite the encryption, the researcher said that the data could be intercepted while in transit between a user and the company.
  • Maxthon previously claimed that users could opt out of the data collection program, which the company said was aimed at improving its service. However, the researchers found that the data was collected even when users opted out.

The article has been updated to include a response from Maxthon.