Governance & Risk Management , Privacy
Researcher: Microsoft Edge Least Private of 6 BrowsersStudy Finds Edge Sends Identifiers and URLs to Back-End Servers
Microsoft Edge is one of the least private web browsers, according to an academic paper published by a security researcher in Ireland. The researcher says the browser sends specific device identifiers, as well as URLs that users browsed, back to the company's corporate servers.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In the study, Douglas Leith, a security researcher with the school of computer science and statistics at Trinity College in Ireland, investigated how six web browsers connect to corporate back-end systems and servers during web browsing sessions.
Leith concluded that that Edge, along with the Russian-made Yandex browser, are the least private of the browsers that he scrutinized. Others he investigated were Google Chrome, Mozilla Firefox, Apple Safari and the Brave Bowser.
A spokesperson for Microsoft says the company is committed to its users' privacy and follows not only the company's guidelines but also laws such as the EU's General Data Protection Regulation or GDPR. The spokesperson added that Edge allows users to adjust settings that might send data back to Microsoft.
"People can turn off Search Suggestions in Microsoft Edge Privacy and Services settings, just like other browsers. Users can disable sending browsing data to Microsoft," the company spokesperson tells Information Security Media Group.
Lack of Privacy
The study notes that the Edge browser transfers a hardware device's unique identifiers - including a 128-bit number used to identify certain information - back to computer systems at Microsoft. The report also notes that Yandex sends hardware serial numbers back to the parent company's back-end servers.
Leith also found that both web browsers collect and then send data, including URLs, collected through the browser's autocomplete function back to corporate server. The study shows that by collecting this data, the browsers can then reveal details about applications and other software residing on the device.
And while transferring of users' browser data to back-end servers is not necessarily a case of privacy intrusion, Leith notes that if threat actors intercepted it, the information could be used to identify and target a specific user.
"Issues arise when data can be tied to a specific user," Leith notes. "For example, knowledge of the work and home locations of a user can be inferred from such location data, and when combined with other data, this information can quickly become quite revealing."
Weaknesses in Other Browsers
While Leith found the most privacy issues with Edge and Yandex, he noted that the other four browsers also had security issues.
The most secure and private of the six browsers is Brave because it does not send sensitive user information back to corporate servers, the researcher reports. "We did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers," he says in the report.
Chrome, Firefox and Safari all enabled the transfer of web page details to the corporate servers through their autocomplete features when users typed in a URL, according to the report. Although this feature can be disabled, the research found that the three browsers silently enabled the feature by default.
Leith also notes that Firefox collects and maintains certain web browser data in its telemetry or data collection process, which can be potentially used for tracking - a feature that cannot be disabled by the users.
Because Google and Apple run a host of online services, Leith notes that Chrome and Safari load their web pages with pre-fetched apps from its parent companies and other services, potentially increasing the risk from third-party apps.
"Safari defaults to a choice of start page that pre-fetches pages from multiple third parties (Facebook, Twitter etc, sites not well known for being privacy friendly) and so potentially allows them to load pages containing identifiers into the browser cache," Leith states. "Chrome, Firefox and Safari can all be configured to be more private, but this requires user knowledge (since intrusive settings are silently enabled) and active intervention to adjust settings."
Leith says his findings have prompted discussions at all six companies about making changes to browser settings. "The results of this study have prompted discussions, which are ongoing, of browser changes, including allowing users to opt out of search auto-complete on first startup plus a number of browser specific changes," he notes in the report.
Browser Security Risks
In recent months, attackers have been capitalizing on browser vulnerabilities to carry out attacks.
For example, in February, Google removed 500 Chrome extensions from its online store after researchers found that attackers were using them to steal browser data, according to security firm Duo Security (see: Google Removes 500 Chrome Extensions Tied to Malvertising).
Editor's Note: This article was updated to include a statement from Microsoft.