A security researcher has claimed that Microsoft is receiving the full URL of sites visited by the users running the original version of Microsoft Edge that comes pre-installed on Windows 10. What’s more concerning is the fact that the Security Identifier (SID) is also a part of the sent data, in addition to the page details, according to researcher Matt Weeks.
Matt Weeks took to Twitter to inform that except for a few popular sites, Edge sends full URL of pages visited by users to Microsoft. Not only the documentation, but SID is also included in the data.
Microsoft relies on SmartScreen to protect users from the risks imposed by harmful websites, once they are loaded in the browser. SmartScreen basically operates by assessing the URL against a list of links reported by Microsoft. Thus, a Microsoft server determines whether a user should be allowed access to a particular site or not, once the request for visiting that site is submitted.
As mentioned above, SID is also amongst the sent information. Moreover, it is unhashed. In case you are unaware of the term SID, Microsoft explains it as a security identifier tasked with uniquely identifying a security principal or group. Security principals can represent a user account, computer account, or even a thread of processes running in the security context of a user or computer account. In short, it can represent anything that can be termed authentic by the OS.
What it basically means is that with the help of SID, Microsoft can easily spot the visitors and the pages they visit, provided that SmartScreen is enabled in Windows 10.
Microsoft has also accepted in its privacy statement that the company collects certain information in order to run SmartScreen. The data sent to the company includes the file name, hashed file contents, download location and the file’s digital certificates.
The researcher has proposed a better approach, something that is followed by browsers like Chrome, Firefox and Safari. These browsers do not send the browsing history of users to their cloud masters. Instead, 4-byte URL hash prefixes are matched with the downloaded bad hash lists.
Microsoft has yet to issue a comment on this matter. As seriously as the company claims to take the privacy and security of its users, it better has a solid explanation and possible resolution regarding the above mentioned concerns.
Read next: Microsoft’s New Report Suggests That LinkedIn Engagement Is Continuously Rising
Matt Weeks took to Twitter to inform that except for a few popular sites, Edge sends full URL of pages visited by users to Microsoft. Not only the documentation, but SID is also included in the data.
Microsoft relies on SmartScreen to protect users from the risks imposed by harmful websites, once they are loaded in the browser. SmartScreen basically operates by assessing the URL against a list of links reported by Microsoft. Thus, a Microsoft server determines whether a user should be allowed access to a particular site or not, once the request for visiting that site is submitted.
As mentioned above, SID is also amongst the sent information. Moreover, it is unhashed. In case you are unaware of the term SID, Microsoft explains it as a security identifier tasked with uniquely identifying a security principal or group. Security principals can represent a user account, computer account, or even a thread of processes running in the security context of a user or computer account. In short, it can represent anything that can be termed authentic by the OS.
What it basically means is that with the help of SID, Microsoft can easily spot the visitors and the pages they visit, provided that SmartScreen is enabled in Windows 10.
Microsoft has also accepted in its privacy statement that the company collects certain information in order to run SmartScreen. The data sent to the company includes the file name, hashed file contents, download location and the file’s digital certificates.
The researcher has proposed a better approach, something that is followed by browsers like Chrome, Firefox and Safari. These browsers do not send the browsing history of users to their cloud masters. Instead, 4-byte URL hash prefixes are matched with the downloaded bad hash lists.
Microsoft has yet to issue a comment on this matter. As seriously as the company claims to take the privacy and security of its users, it better has a solid explanation and possible resolution regarding the above mentioned concerns.
Read next: Microsoft’s New Report Suggests That LinkedIn Engagement Is Continuously Rising