Microsoft Windows 10 Edge Browser SmartScreen Is Potentially Violating User Privacy

Microsoft Edge Browser
For the three of you out there running Microsoft's Edge browser (kidding!), some debatable privacy concerns have been raised into what information the SmartScreen feature is sharing (not kidding). In certain situations, Edge sends out URLs users have visited, and also their unique SIDs (Security Identifiers).

Security researcher Matt Weeks brought the issue to attention over the weekend in a Twitter post, noting the transmission of "your very non-anonymous" SID. In addition, a screenshot he posted shows a URL he visited in plain text, as opposed to being hashed.
"Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID)," Weeks wrote.

The security-minded folks at Bleeping Computer followed up on this and found the same thing. What happens with SmartScreen (which is designed to protect users from malware) is that Edge sends a JSON encoded POST request to a Microsoft URL that includes information about the URL that is being checked.

Sending the URL in plain text is a privacy concern, as it could allow Microsoft to see a user's browsing history. However, it should be noted that Microsoft has been upfront about this in various documentation, outlining that a bunch of file information gets sent over a secure connection. It's disappointing that Microsoft is not hashing the data like Chrome does, but it's not a nefarious discovery, if you even want to call it that.

Sending SID information is a little different, though. I have not sifted through all of Microsoft's documentation, but according to Bleeping Computer, the sending of the SID does not seem to be referenced anywhere.

The good news going forward is that this behavior will change in the revamped version of Edge that Microsoft is developing. Edge is getting an overhaul to an Chromium-based browser, which is available to preview, and it does not send SID during a SmartScreen request.
Show comments blog comments powered by Disqus