Jump to content

Microsoft SmartScreen Data Collection Raises Privacy Concerns


steven36

Recommended Posts

Over the weekend, privacy concern were raised regarding how Microsoft Edge is uploading the URLs to SmartScreen without hashing them first. After further testing by BleepingComputer, we learned that Windows 10 also transmits a great deal of potentially sensitive information about your applications to SmartScreen when you attempt to run them.

 

https://s7d7.turboimg.net/sp/c800b0f088c9dcdeb2d9c058177d5278/2a37.jpg

 

Over the weekend, security researcher Matt Weeks spotted Microsoft Edge sending the URL of a site being visited to SmartScreen. When sent this, this URL was not obfuscated or hashed in any way. which raised concerns that Microsoft could track what sites you visit.

 

https://s7d8.turboimg.net/sp/ea3699deaafb7935acbd2e81f1d715fd/tweet.jpg

 

When communicating with SmartScreen, Edge will send a JSON encoded POST request to https://nav.smartscreen.microsoft.com/windows/browser/edge/service/navigate/4/sync that includes information about the URL that is being checked.

 

BleepingComputer was able to confirm this behavior using Fiddler that showed the following JSON being sent to Microsoft over a secure connection.

 

https://s7d7.turboimg.net/sp/4621195c0bbbac02d60b11b1ea511872/unhashed-url.jpg

Unhashed URL being sent to SmartScreen

 

In addition to sending the URL in an unhashed form, Microsoft Edge for some reason also sent the logged in user's SID, or Security Identifier, to Microsoft. A SID is a unique identifier created by Windows when a new account is added to the operating system.

 

https://s7d2.turboimg.net/sp/4f5124aa80bde1ceac19f9bb3e5842b5/sid.jpg

Sending a users SID

 

Many of the users in the Twitter thread have expressed concerns that sending the URL in an unhashed form is a privacy risk as it could allow Microsoft to see a user's browsing history. The addition of also sending a user's SID just added to the concerns.

SmartScreen for applications exposes even more data

While Weeks' research focused on how SmartScreen operates when browsing the web, in tests by BleepingComputer you can see that SmartScreen also exposes a great deal of private information when launching an executable.

 

By default, Windows 10 will enables a feature called "Check apps and files" that uses Windows Defender SmartScreen to warn you if a file is malicious before you execute it.

 

https://s7d8.turboimg.net/sp/6a352e1d8bbdea543c700d341f48a266/check-apps-and-files.jpg

 

Check apps and files setting

 

After downloading a file and attempting to open it, Windows 10 will connect to https://checkappexec.microsoft.com/windows/shell/service/beforeExecute/2 and send a variety of information about the file.

 

In our tests, some of the information transmitted by Windows 10 includes the full path to the file on your computer and the URL you downloaded the file from. None of this information is hashed in any way.

For example, I uploaded a small utility called md5sum.exe to WeTransfer.com. I then downloaded that file on another Windows 10 PC and tried to execute it. 

 

As you can see from the image below, Windows transmitted to the SmartScreen service the URL where the file was downloaded from and the full path to file's location on my test computer.

 

 

https://s7d5.turboimg.net/sp/a43bbbeac89395056ef256351e56e2f6/file-info.jpg

 

File information sent to Microsoft

 

This information could expose a tremendous amount of sensitive and private information to Microsoft. This includes private download URLs for sensitive files and the folder structure of internal Windows systems and networks.

 

While we do not recommend you do this, the only way to prevent this information from being shared is to disable this feature.

Microsoft has always disclosed that urls and file info are shared

After reading Weeks' tweet, many users immediately cried foul at Microsoft, but the reality is that Microsoft is not doing anything they haven't said they were doing.

 

As shown by Microsoft Edge developer Eric Lawrence, Microsoft has clearly stated from as early as 2005 and in more recent documentation that the URL and file information is being sent to Microsoft over a secure connection when using SmartScreen.

 

https://s7d5.turboimg.net/sp/e310ac7080fb82b4c2fbae6cc4fa9cb4/sent-information.jpg

 

Information sent to SmartScreen

 

While they are not doing anything sneaky, Microsoft can modify how URLs are sent so that they are hashed in a similar way that Chrome SafeBrowsing does it.

In a world where people are finally waking up to how little control they have over their data and how it is being used, this tradeoff may be worth it to put customers at ease.

Chromium-based Microsoft Edge no longer sends SID

The sending of the SID was an odd thing and does not seem to be referenced anywhere in Microsoft's SmartScreen documentation.

 

The good news is that the new Chromium-based Microsoft Edge no longer sends the SID during a SmartScreen request.

 

It does, though, continue to send an unhashed URL. That practice will only end if and when Microsoft decides to start hashing the URLs, which probably would require significant code changes across many of their products.

 

Source

 

 

Link to comment
Share on other sites


  • Views 654
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...