Twitter | Search | |
scriptjunkie
😱 Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID).
Reply Retweet Like More
Brandon Padgett Jul 20
Replying to @scriptjunkie1
Sending the websites isn't a shock due to what smartscreen filter is, but sending the sid is odd.
Reply Retweet Like
scriptjunkie Jul 20
Replying to @BrandonPadgett
Chrome, Firefox, and Safari use the Safe Browsing Update API which only sends hashed versions of the URL.
Reply Retweet Like
scriptjunkie Jul 20
Replying to @scriptjunkie1
Reposting for everybody; Firefox, Chrome, and Safari do not send your browsing history to their cloud overlords like Edge does. They compare 4-byte URL hash prefixes with downloaded bad hash lists.
Reply Retweet Like
SwiftOnSecurity Jul 20
Replying to @scriptjunkie1
So I’m going to follow up on this, from what I recall this is only supposed to fire for the full URL when heuristics find something. I don’t recall full fidelity forwarding but I might be wrong.
Reply Retweet Like
scriptjunkie Jul 21
Replying to @SwiftOnSecurity
Full repro steps: - Setup new Ubuntu VM with NAT and host only NIC's, install mitmproxy and start mitmweb logging. - Download extract and place in host only net. - Boot Windows VM, set static IP to use proxy, install certs - Visit the URL - See the above
Reply Retweet Like
scriptjunkie Jul 21
Replying to @SwiftOnSecurity
It may have non default smartscreen settings but I didn't change them. The dev VM terms only say this under privacy
Reply Retweet Like
scriptjunkie Jul 21
Replying to @scriptjunkie1
Adding repro steps to main thread
Reply Retweet Like
Stephen McLean Jul 21
Only if enabled! Why leave this little nugget out?
Reply Retweet Like
scriptjunkie Jul 21
Replying to @sfm_42 @Christoph_Fer
It was enabled by default, at least in the dev VM Microsoft allows you to test in. I'd be curious as to what specific options lead to this in a normal Windows install. Does accepting the defaults in the setup screens? Not sure.
Reply Retweet Like
Russ Jul 21
Replying to @scriptjunkie1
Do we know whether this is classic Edge, chrome-based Edge, or both?
Reply Retweet Like
scriptjunkie Jul 21
Replying to @AJBlue98
I believe this is classic, but I don't see why that would change with chromium, since they keep a lot of the stuff outside the renderer
Reply Retweet Like
scriptjunkie Jul 23
I'm not, it's the user sid. Same VM:
Reply Retweet Like
scriptjunkie Jul 23
Reply Retweet Like
scriptjunkie Jul 25
Replying to @scriptjunkie1
Also happens on a clean updated Win 10 iso install with default settings. The "diagnostic data" install item mentions "info about the websites you browse" but I'd guess users would still be surprised ("diagnostic" sounds like just error/crash info, not all-the-time)
Reply Retweet Like