It has repeatedly published documentation declaring that URL and file information is shared with Microsoft over a secure connection. "Some of the information transmitted by Windows 10 includes the full path to the file on your computer and the URL you downloaded the file from," Lawrence Abrams, creator and owner of Bleeping Computer, said before adding that "none of this information is hashed in any way."Īccording to Abrams, the information exposed this way could be "sensitive and private," including "private download URLs for sensitive files and the folder structure of internal Windows systems and networks."Īll of this has been stated by Microsoft since it first developed the phishing filter for Internet Explorer 7. The Bleeping Computer investigation, however, also revealed that SmartScreen "exposes a great deal of private information when launching an executable." This is because of the way that Windows 10 defaults to enabling the "Check apps and files" feature using SmartScreen to warn of malicious files before they can be executed.Īs part of this process, Windows 10 connects to a Microsoft server and sends information about that file. If you were subject to such a thing, then "you'd have bigger problems than someone having your SmartScreen data," Migliano points out. That said, the security risk is mitigated by the fact that the data is being sent over a secure connection so would require a man-in-the-middle attack to intercept it. If this is the case, then there's an obvious security risk as this would be a real treasure trove to the cybercrime fraternity. "There will be a vast database somewhere out there containing historical browsing data combined with SIDs," Migliano says. Migliano thinks that it's the inclusion of the SID that is rightly controversial here. Should you be concerned about the privacy implications? "While SmartScreen sharing URLs with Microsoft is simply the product working as designed and outlined in public documentation," Simon Migliano, head of research at, says, "it's a flawed process that's a clear privacy risk and one that the vast majority of Edge users would be unaware of." This information includes the URL of the site being visited as well as the user's security identifier (SID) which is unique to every single Windows user account. Edge will communicate with SmartScreen, the Microsoft Windows Defender phishing and malware protection component bundled into the browser, in such a way that un-hashed information is sent over a secure connection.
So what is going on here, and does any of this matter in the grand scheme of privacy things? Without going into too much technical detail, it appears that Weeks is right.
0 kommentar(er)
