Security research says the SID is also shared with Microsoft

Jul 23, 2019 05:20 GMT  ·  By

The original version of Microsoft Edge currently coming pre-installed on Windows 10 is sending the full URL of the sites you visit to Microsoft, according to a security researcher.

The data includes not only page information, but also the SID, which stands for security identifier, researcher Matt Weeks says on Twitter.

“Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID),” he posted.

Microsoft uses a feature called SmartScreen to protect users against potentially dangerous websites whenever they are loaded in the browser. SmartScreen works by analyzing the URL against a list of reported links maintained by Microsoft, so the page you visit is submitted to a Microsoft server to determine whether the site should be allowed or not.

SID possibly exposed

Weeks, however, discovered that the sent information, which doesn’t appear to be hashed, includes the SID. Microsoft says the following about the SID in its official documentation:

“A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.”

In theory, by including the SID in the report, Microsoft can tell who visits what when SmartScreen is enabled in Windows 10. By default, SmartScreen for Microsoft Edge is configured with the “Warn” setting on a Windows 10 device.

Microsoft, however, admits in its privacy statement that some information is indeed submitted to the company in order to power SmartScreen, simply because this is how the feature works.

“When checking a file, data about that file is sent to Microsoft, including the file name, a hash of the file's contents, the download location, and the file's digital certificates,” Microsoft says.

The researcher, however, suggests that this system could be improved using an approach similar to the one used by other browsers.

“Firefox, Chrome, and Safari do not send your browsing history to their cloud overlords like Edge does. They compare 4-byte URL hash prefixes with downloaded bad hash lists,” he says.

Microsoft is yet to respond to these concerns with an official statement, but we’ve reached out to the company and will update the article if an answer is offered.