Over the weekend, privacy concern were raised regarding how Microsoft Edge is uploading the URLs to SmartScreen without hashing them first. After further testing by BleepingComputer, we learned that Windows 10 also transmits a great deal of potentially sensitive information about your applications to SmartScreen when you attempt to run them.
Over the weekend, security researcher Matt Weeks spotted Microsoft Edge sending the URL of a site being visited to SmartScreen. When sent this, this URL was not obfuscated or hashed in any way. which raised concerns that Microsoft could track what sites you visit.
When communicating with SmartScreen, Edge will send a JSON encoded POST request to https://nav.smartscreen.microsoft.com/windows/browser/edge/service/navigate/4/sync that includes information about the URL that is being checked.
BleepingComputer was able to confirm this behavior using Fiddler that showed the following JSON being sent to Microsoft over a secure connection.
In addition to sending the URL in an unhashed form, Microsoft Edge for some reason also sent the logged in user's SID, or Security Identifier, to Microsoft. A SID is a unique identifier created by Windows when a new account is added to the operating system.
Many of the users in the Twitter thread have expressed concerns that sending the URL in an unhashed form is a privacy risk as it could allow Microsoft to see a user's browsing history. The addition of also sending a user's SID just added to the concerns.
While Weeks' research focused on how SmartScreen operates when browsing the web, in tests by BleepingComputer you can see that SmartScreen also exposes a great deal of private information when launching an executable.
By default, Windows 10 enables a feature called "Check apps and files" that uses Windows Defender SmartScreen to warn you if a file is malicious before you execute it.
After downloading a file and attempting to open it, Windows 10 will connect to https://checkappexec.microsoft.com/windows/shell/service/beforeExecute/2 and send a variety of information about the file.
In our tests, some of the information transmitted by Windows 10 includes the full path to the file on your computer and the URL you downloaded the file from. None of this information is hashed in any way.
For example, I uploaded a small utility called md5sum.exe to WeTransfer.com. I then downloaded that file on another Windows 10 PC and tried to execute it.
As you can see from the image below, Windows transmitted to the SmartScreen service the URL where the file was downloaded from and the full path to file's location on my test computer.
This information could expose a tremendous amount of sensitive and private information to Microsoft. This includes private download URLs for sensitive files and the folder structure of internal Windows systems and networks.
While we do not recommend you do this, the only way to prevent this information from being shared is to disable this feature.
After reading Weeks' tweet, many users immediately cried foul at Microsoft, but the reality is that Microsoft is not doing anything they haven't said they were doing.
As shown by Microsoft Edge developer Eric Lawrence, Microsoft has clearly stated from as early as 2005 and in more recent documentation that the URL and file information is being sent to Microsoft over a secure connection when using SmartScreen.
While they are not doing anything sneaky, Microsoft can modify how URLs are sent so that they are hashed in a similar way that Chrome SafeBrowsing does it.
The alternative approach is to do what SafeBrowsing does, which is push the hash list to the client. Which is fine, but it's a tradeoff, data freshness and transfer size, vs. value of a threat model in which you don't trust the people who wrote the code you're running.— Eric Lawrence (@ericlaw) July 22, 2019
In a world where people are finally waking up to how little control they have over their data and how it is being used, this tradeoff may be worth it to put customers at ease.
The sending of the SID was an odd thing and does not seem to be referenced anywhere in Microsoft's SmartScreen documentation.
The good news is that the new Chromium-based Microsoft Edge no longer sends the SID during a SmartScreen request.
It does, though, continue to send an unhashed URL. That practice will only end if and when Microsoft decides to start hashing the URLs, which probably would require significant code changes across many of their products.
Update 7/24/19: Microsoft responded with the following statement: