Jump to content
  • Report: Microsoft Edge apparently leaking all websites you visit to Bing API

    aum

    • 8 comments
    • 582 views
    • 2 minutes
     Share


    • 8 comments
    • 582 views
    • 2 minutes

    Microsoft Edge added a feature back in January 2022 which allowed users to follow content creators like YouTubers. However, this "follow creators" feature appears to be bugged in the latest update, according to reports online. The issue is pretty big when it comes to data privacy as every website URL visited is seemingly being sent to the Bing API servers "bingapis.com/api/v7/followweb/isfollowable". This is because the follow creators appear to be enabled by default all the time in the latest version, which means every URL or domain visited.

     

    The issue was discovered first by Reddit user hackermchackface a few days ago. He wrote:

     

    What is causing Edge to leak all visited URLs following latest update? API is: bingapis.com/api/v7/followweb/isfollowable ?

     

    GET request includes full url of every page navigate to.

     

    Searching for References to this url give very few results, no documentation on this feature at all. Json response shows type as “FollowableStatus” which yields zero Google results, which is rare.

     

    Microsoft MVP and Stardock engineer Rafael Rivera gave the following statement to The Verge:

     

    Microsoft Edge now has a creator follow feature that is enabled by default, it appears the intent was to notify Bing when you’re on certain pages, such as YouTube, The Verge, and Reddit. But it doesn’t appear to be working correctly, instead sending nearly every domain you visit to Bing

     

    Microsoft has responded to The Verge confirming that it is aware of such reports. Caitlin Roulston, director of communications at Microsoft, has stated:

     

    We’re aware of reports, are investigating and will take appropriate action to address any issues

     

    We will be updating this article when further updates are here.

     

    Via: The Verge

     

    Source


    User Feedback

    Recommended Comments

    I personally use Firefox, but double checking the GET request sent by M.S. Edge to the mentioned API, and keeping in mind the well structured JSON like wrapped data, it seems more than a simple leak!  As little as I know, it clearly looks like a well designed future/function of the Edge browser telemetry, aimed at collecting users' usage statistics, considering each Local/Session/Shared/Cache Storage element (under DevTools) that is being passed on.

    Edited by DLord
    Link to comment
    Share on other sites


    A bug? Its a feature. That is why I disabled "Show suggestions to follow creators in Microsoft Edge" from the getgo, how else can it send suggestions other than monitoring your web usage. You can make edge private by downloading edge group policy, going through it with a fine tooth comb; as well as through everything under the settings page. One privacy setting missing from group policy is disabling sending everything you type in private messages, social media, and forms to the cloud; enabled by default, which can be disabled under 'settings / languages'. Never login to and sync edge browser directly, and do not login to bing or an ms account in your primary edge browser, use a dedicated edge browser for bing chat / ms accounts, like the beta or dev channel; or  binggpt: https://github.com/dice2o/BingGPT  Use a unique non identifiable email for your dedicated bing chat account. Block all cookies and site data to [*.]msn.com, [*.]microsoft.com, [*.]live.com, [*.]bing.com in your primary browser to prevent MS edge cookie tracking; and hosts block assets.msn.com, browser.events.data.msn.com, browser.events.data.microsoft.com, and  www.google-analytics.com; three domains edge uses for telemetry that cannot be blocked by any other means. There are a number of settings under edge://flags : Block insecure private network requests., Strict-Origin-Isolation, Partitioned cookies, and Anonymize local IPs exposed by WebRTC, that help privacy while browsing also. Do not use smartscreen period [i recommend an av with the highest offline detection rate https://www.neowin.net/news/av-comparatives-finds-microsoft-defender-has-one-of-the-poorest-offline-detection-rates/ ] and change your default search engine to brave search. Blocking cookies to [*.]bing.com will render all bing searches private/non identifiable, only connected to IP.

    Given Edge has 'super secure mode' which blocks JIT compiler, and enforcing AGC exploit protections on the render process and other areas of the browser, rendering 99% of  zero-day exploits impossible, including by nation states, edge is by far the most secure browser... but it takes some effort making it private. https://community.brave.com/t/option-to-disable-jit-compilation/43768/6

    Chrome is lightyears ahead security wise than firefox: https://madaidans-insecurities.github.io/firefox-chromium.html

    The biggest concern that remains is the future of chromium extensions and adblocking with Manifest V3; which if dictated to its userbase in current form will increase cybercrime and tracking dramatically. Even the FBI does not recommend browsing without a decent adblocker for this very reason.

    Edited by wang_bam
    Link to comment
    Share on other sites


    9 hours ago, wang_bam said:

    Chrome is lightyears ahead security wise than firefox: https://madaidans-insecurities.github.io/firefox-chromium.html

    Well, that is the opinion of one person, claimed more than a year ago.  I do not want to reference tons of articles that argue otherwise (even if you use Google to search for it!) but claiming that Chrome is light years ahead security wise than Firefox (an open source project) is just absurd my friend.

    Link to comment
    Share on other sites


    Its called research, not opinion. I've seen propaganda out there suggesting otherwise. What I care about is the data. Firefox is much less of a privacy concern but years behind Chrome, edge especially, in terms of security. 

    Edited by wang_bam
    Link to comment
    Share on other sites


    Three of those list brave as number 1; Its true that Brave is more secure than Firefox; however not a single article you share goes into any depth or fact based research what-so-ever. Read the articles I cite, they do.  Sadly, #1 is Edge is currently the most secure browser on the market.  Firefox isn't designed to effectively disable JIT without losing java functionality; that alone translates to automatic increase of attack surface by 50%;  Nor has firefox made much progress integrating windows exploit mitigations... nor does it leverage intel/amd hardware-backed exploit mitigations such as shadow stack protections; and the windows hardware backed sandbox; which edge has done for quite some time. Firefox is lightyears behind.

    "Microsoft Edge already takes advantage of advanced protections like Code Integrity Guard (CIG) and Control Flow Guard (CFG). As of Microsoft Edge 98, Control-flow Enforcement Technology (CET) and Arbitrary Code Guard (ACG) will be enabled in the renderer process when a site is in enhanced security mode. These additional mitigations prevent dynamic code generation in the renderer processes and implement a separate shadow stack to protect return addresses. Moreover, we are quite excited that Microsoft Edge now supports both forwards and backwards control-flow protection. By applying these protections, we can provide defense in depth that spans beyond JIT attacks." https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge/

     

    Thus far, Microsoft, being the developer of windows, integrated windows advanced security mitigations into edge browser more effectively than the competition; Where it lacks is in the privacy department. It takes substantial efforts to mitigate the draconian privacy violations inherent in edge and windows itself (efforts that in my circumstance are worth it); whereas browsers such as Brave and tor are private by default.

    Edited by wang_bam
    Link to comment
    Share on other sites


    Other Security Researchers' Views on Firefox: Many security experts also share my views about Firefox, and a few examples are listed below:
     

    thegrugq, information security researcher:
    Tor and its Discontents
    https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
    Kenn White, security researcher:
    https://twitter.com/kennwhite/status/804142071133126656
    PaXTeam, developer of PaX:
    https://archive.fo/9aBLk
    Daniel Micay, lead developer of GrapheneOS:
    https://grapheneos.org/usage#web-browsing
    Matthew Garrett, Linux developer:
    https://news.ycombinator.com/item?id=13800323
    Dan Guido, CEO of Trail of Bits:
    https://news.ycombinator.com/item?id=13623735
    Theo de Raadt, lead developer of OpenBsd:
    https://marc.info/?l=openbsd-misc&m=152872551609819&w=2
    Thomas Ptacek, co-founder of Latacora and Matasano Security:
    https://twitter.com/tqbf/status/930807512609296384,
    https://twitter.com/tqbf/status/930860544927649792,
    https://twitter.com/tqbf/status/830511154950766595
    qwertyoruiopz, iOS exploit developer:
    https://twitter.com/qwertyoruiopz/status/805887567493271556,
    https://twitter.com/qwertyoruiopz/status/730704655748075520
    John Wu, Android security engineer:
    https://twitter.com/topjohnwu/status/1105739918444253184,
    https://twitter.com/topjohnwu/status/1455606288419733505
    Chris Rohlf, security engineer:
    https://twitter.com/chrisrohlf/status/1455549993536966671
    Matthew Green, cryptographer at Johns Hopkins University:
    https://twitter.com/matthew_d_green/status/830488564672626690
    Bruno Keith, security researcher at Dataflow Security:
    https://twitter.com/bkth_/status/1265971734777380865
    Niklas Baumstark, security researcher at Dataflow Security:
    https://twitter.com/_niklasb/status/1131129708073107456
    The Tor Project investigating ways to harden the Tor Browser; in particular, they conclude that Firefox is too poorly written for them to apply PaX's Reuse Attack Protector (in comparison, RAP can be applied to Chromium with relatively little effort):
    https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Hardening
    Alex Gaynor, former Firefox security engineer and sandboxing lead:
    https://news.ycombinator.com/item?id=22342352

    Edited by wang_bam
    Link to comment
    Share on other sites


    OK, it's getting too long of a conversation for it's good.  So in short, to be polite and respond:

     

    1.  Brave or any other browser being ahead of FF does not back up your original claim.

    2.  Bunch of social media/blog posts (Twitter, Medium, etc.) does not count as a valid reference.

    3.  My whole argument was "to claim that FF is light years behind Chrome" is absurd.  I did not claim FF does not have security/privacy issues.

    4.  For a non-profit open source project to be able to compete with the big names such as Microsoft or Google means that project is doing pretty much well and stands neck to neck with the competition if not higher. 

    5.  The author of the original piece that you based your whole argument on is well known in blogs and social media for his out of place use of wording to try to amplify his opinions/claims;  same as what he did with that piece about Linux not being a secure system and it's as bad or even worse that Windows when it comes to security!  "Light years ahead/behind" is a good example of such exaggeration.

    6.  Thanks for the good technical info provided; but all the mentioned points together does not add up to "light years".

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...