Twitter | Search | |
scriptjunkie
😱 Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID).
Reply Retweet Like More
scriptjunkie 20 Jul 19
Replying to @scriptjunkie1
Reposting for everybody; Firefox, Chrome, and Safari do not send your browsing history to their cloud overlords like Edge does. They compare 4-byte URL hash prefixes with downloaded bad hash lists.
Reply Retweet Like
scriptjunkie 21 Jul 19
Replying to @scriptjunkie1
Adding repro steps to main thread
Reply Retweet Like
scriptjunkie 25 Jul 19
Replying to @scriptjunkie1
Also happens on a clean updated Win 10 iso install with default settings. The "diagnostic data" install item mentions "info about the websites you browse" but I'd guess users would still be surprised ("diagnostic" sounds like just error/crash info, not all-the-time)
Reply Retweet Like
SwiftOnSecurity 20 Jul 19
Replying to @scriptjunkie1
So I’m going to follow up on this, from what I recall this is only supposed to fire for the full URL when heuristics find something. I don’t recall full fidelity forwarding but I might be wrong.
Reply Retweet Like
scriptjunkie 21 Jul 19
Replying to @SwiftOnSecurity
Full repro steps: - Setup new Ubuntu VM with NAT and host only NIC's, install mitmproxy and start mitmweb logging. - Download extract and place in host only net. - Boot Windows VM, set static IP to use proxy, install certs - Visit the URL - See the above
Reply Retweet Like
Russ Johnson 21 Jul 19
Replying to @scriptjunkie1
Do we know whether this is classic Edge, chrome-based Edge, or both?
Reply Retweet Like
scriptjunkie 21 Jul 19
Replying to @AJBlue98
I believe this is classic, but I don't see why that would change with chromium, since they keep a lot of the stuff outside the renderer
Reply Retweet Like
Brandon Padgett 20 Jul 19
Replying to @scriptjunkie1
Sending the websites isn't a shock due to what smartscreen filter is, but sending the sid is odd.
Reply Retweet Like
scriptjunkie 20 Jul 19
Replying to @BrandonPadgett
Chrome, Firefox, and Safari use the Safe Browsing Update API which only sends hashed versions of the URL.
Reply Retweet Like
πŸŽƒπŸ•Έ πŸ•· Johannes πŸ’€πŸ¦‡ πŸ‘» 19 Jul 19
Reply Retweet Like