Edge

Over the weekend, privacy concern were raised regarding how Microsoft Edge is uploading the URLs to SmartScreen without hashing them first. After further testing by BleepingComputer, we learned that Windows 10 also transmits a great deal of potentially sensitive information about your applications to SmartScreen when you attempt to run them.

Over the weekend, security researcher Matt Weeks spotted Microsoft Edge sending the URL of a site being visited to SmartScreen. When sent this, this URL was not obfuscated or hashed in any way. which raised concerns that Microsoft could track what sites you visit.

Tweet

When communicating with SmartScreen, Edge will send a JSON encoded POST request to https://nav.smartscreen.microsoft.com/windows/browser/edge/service/navigate/4/sync that includes information about the URL that is being checked.

BleepingComputer was able to confirm this behavior using Fiddler that showed the following JSON being sent to Microsoft over a secure connection.

Unhashed URL being sent to SmartScreen
Unhashed URL being sent to SmartScreen

In addition to sending the URL in an unhashed form, Microsoft Edge for some reason also sent the logged in user's SID, or Security Identifier, to Microsoft. A SID is a unique identifier created by Windows when a new account is added to the operating system.

Sending a users SID

Many of the users in the Twitter thread have expressed concerns that sending the URL in an unhashed form is a privacy risk as it could allow Microsoft to see a user's browsing history. The addition of also sending a user's SID just added to the concerns.

SmartScreen for applications exposes even more data

While Weeks' research focused on how SmartScreen operates when browsing the web, in tests by BleepingComputer you can see that SmartScreen also exposes a great deal of private information when launching an executable.

By default, Windows 10 enables a feature called "Check apps and files" that uses Windows Defender SmartScreen to warn you if a file is malicious before you execute it.

Check apps and files setting
Check apps and files setting

After downloading a file and attempting to open it, Windows 10 will connect to https://checkappexec.microsoft.com/windows/shell/service/beforeExecute/2 and send a variety of information about the file.

In our tests, some of the information transmitted by Windows 10 includes the full path to the file on your computer and the URL you downloaded the file from. None of this information is hashed in any way.

For example, I uploaded a small utility called md5sum.exe to WeTransfer.com. I then downloaded that file on another Windows 10 PC and tried to execute it. 

As you can see from the image below, Windows transmitted to the SmartScreen service the URL where the file was downloaded from and the full path to file's location on my test computer.

File information sent to Microsoft
File information sent to Microsoft

This information could expose a tremendous amount of sensitive and private information to Microsoft. This includes private download URLs for sensitive files and the folder structure of internal Windows systems and networks.

While we do not recommend you do this, the only way to prevent this information from being shared is to disable this feature.

Microsoft has always disclosed that urls and file info are shared

After reading Weeks' tweet, many users immediately cried foul at Microsoft, but the reality is that Microsoft is not doing anything they haven't said they were doing.

As shown by Microsoft Edge developer Eric Lawrence, Microsoft has clearly stated from as early as 2005 and in more recent documentation that the URL and file information is being sent to Microsoft over a secure connection when using SmartScreen.

Information sent to SmartScreen
Information sent to SmartScreen

While they are not doing anything sneaky, Microsoft can modify how URLs are sent so that they are hashed in a similar way that Chrome SafeBrowsing does it.

In a world where people are finally waking up to how little control they have over their data and how it is being used, this tradeoff may be worth it to put customers at ease.

Chromium-based Microsoft Edge no longer sends SID

The sending of the SID was an odd thing and does not seem to be referenced anywhere in Microsoft's SmartScreen documentation.

The good news is that the new Chromium-based Microsoft Edge no longer sends the SID during a SmartScreen request.

It does, though, continue to send an unhashed URL. That practice will only end if and when Microsoft decides to start hashing the URLs, which probably would require significant code changes across many of their products.

Update 7/24/19: Microsoft responded with the following statement:

  • Microsoft SmartScreen provides industry-leading protections against phishing and malware through the browser.
  • The data is encrypted, collected over secure HTTPS channels and used to protect customers from these phishing and malware threats.
  • One of Microsoft’s core privacy principles has always been to give people control of their personal information. If you prefer not to have SmartScreen enabled, you can turn it off at any time. For more information, visit Microsoft Edge Privacy FAQ"

Related Articles:

Microsoft Wants You to Call Windows 10 Devs About Edge and Outlook

Microsoft Releases Windows 10 Update to Fix Privacy Settings Bug

Windows 10 Insider Build 18945 Brings a New Cortana Experience

Windows 10 Devices Using Kerberos Realms May Fail to Start Up

Windows 10 1903 Update Blocked by Old Intel Rapid Storage Drivers