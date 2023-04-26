Reddit users have discovered that the Microsoft Edge browser is leaking users’ browsing history to the company’s Bing API.

The behaviour occurs in Edge browser versions 112.0.1722.34 and later and appears to be due to a change in the optional “Show suggestions to follow creators in Microsoft Edge” privacy setting.

This setting was first tested last year and rolled out to more users in recent months. Its stated purpose is to help Edge users follow their favourite content creators across the web.

Reddit user hackermchackface explained the setting previously only applied to a small subset of websites, including YouTube and Pinterest.

“When visiting subpages of this site, the complete URL of the page you are visiting is submitted to Bing as the ‘mediaURL’ parameter using a GET request,” hackermchackface said.

A GET request is the regular plaintext request browsers send to web servers to download webpages. For example, to visit the Microsoft homepage, your browser sends a GET request to microsoft.com.

From version 112.0.1722.34, the GET request was changed, resulting in every visited page being submitted to “www.bingapis.com” unless a firewall picked up the activity and blocked it.

“It doesn’t matter if it’s a local domain or even an IP address; the full URL of every site you follow from then on is passed to Bing,” hackermchackface stated.

“This includes any links, logins, clicked or otherwise navigated to, not just URLs typed or copied into the navigation bar, as is the well-known behaviour of other privacy-invading browser features.

“If Edge is sending the URL of every URL visited straight to a Microsoft server on the Internet, that’s new and a pretty egregious privacy violation.

“If Microsoft detected a non-Microsoft program doing that, it’d probably categorize it as malware, and it’d wind up in the firewall, Windows Defender detection list, or even featured in the malware removal tool.”

However, hackermchackface said they were unconvinced that the behaviour was intentional, suggesting it was either an oversight or a bug.

Microsoft communications director, Caitlin Roulston, told The Verge that the company was aware of reports of the issue and was investigating.

Until it is fixed, hackermchackface advised users to disable the “Show suggestions to follow creators in Microsoft Edge” setting, which is enabled by default, to avoid potentially exposing corporate data.