Microsoft Edge feature "Follow creators" sends nerly all visited website URLs to Bing API

Edge[German]There are reports, that the Microsoft Edge browser is  transmit the URLs of all websites visited by the user to the API of Microsoft's search engine Bing. The "Follow creators" feature, which is now being rolled out more broadly for users, is probably responsible. This feature can be turned off, however, but is once again an example that Microsoft doesn't have its stuff under control and administrators are riding a hot razor blade when they unleash something like this on users.


Advertising

Edge feature "Follow creators"

Microsoft introduced a "Follow creators" feature in the Edge Canary Channel in 2022 (see this reddit.com post) that lets users follow web content creators. For corresponding websites like YouTube, the browser then displays a "Follow" icon in the address bar. Via the "Collections" sidebar, the user can view, change and remove the web pages, topics and creators to follow.

Edge submits URLs to Bing API

A reddit.com user must have been the first to notice that the Edge browser's "Follow creators" feature is starting to transmit nearly all visited URLs to the Bing API.

What is causing Edge to leak all visited URLs following latest update? API is: bingapis.com/api/v7/followweb/isfollowable ?

GET request includes full url of every page navigate to.

Searching for References to this url give very few results, no documentation on this feature at all. Json response shows type as "FollowableStatus" which yields zero Google results, which is rare.

Surely I can't be the first to discover this?!

More details may be found within this reddit.com thread.

Edge 122 – Bing now tracking every page you visit

So after finding nothing on the internet about this I did some digging myself:

The recent Edge Version 112.0.1722.34 and later has made a change to the behaviour of the optional, but on by default Privacy feature: Show suggestions to follow creators in Microsoft Edge.

Since Edge version 112.0.1722.34, there is a change that the privacy feature "Show suggestions to follow creators" (which makes suggestions to follow content creators) is now enabled by default. However, this has serious consequences, as the subject goes on to explain:

In prior versions, this feature seems to only apply to small subset of websites – I have identified Youtube and Pinterest affected so far. When visiting subpages of this site, the complete URL of the page you are visiting is submitted to Bing as the mediaURL parameter using the following GET request:

www.bingapis.com/api/v7/followweb/isfollowable?appId=F1E45C4A7B95B48AC3F411C6214F6B861D0C276B&mediaUrl=https://www.youtube.com/watch?v=abcedfgh&edgechannel=stable

Being restricted to only a few "social media" sites, this wasn't a significant concern.

However, from Version 112.0.1722.34 onwards (at time of writing), the behaviour changed as follows:

On start of the browser, the following GET request is made:

www.bingapis.com/api/v7/followweb/getdomainfilter?appId=F1E45C4A7B95B48AC3F411C6214F6B861D0C276B&edgechannel=stable

This returns JSON detail of a number of websites (including YouTube and Instagram), one would think as a "whitelist" for the aforementioned behaviour. However, instead, provided this request was successful (it was not blocked by a firewall), then every subsequent visited page is submitted (including any GET key/vaue pairs, in the format of the first API call mentioned. It doesn't matter if it's a local domain, or even an IP address, the full URL of every site you follow from then on is passed to Bing. This includes any links, logins etc, clicked or otherwise navigated to, not just URLs typed or copied into the navigation bar, as is the well known behaviour of other privacy-invading browser features. I'm not convinced this is intentional behaviour by Microsoft.

In short: The Edge browser transfers the URLs of (almost) all visited websites to the Bing API. The Verge picked up on this and interviewed developer Rafael Rivera. Rivera is quoted in the article as saying:


Advertising

Microsoft Edge now has a 'Creator Follow' feature enabled by default. It seems that the intent was to notify Bing when users are on certain sites, like YouTube, The Verge and Reddit. But it doesn't seem to work properly and instead sends almost every domain you visit to Bing.

Microsoft has told The Verge that they are investigating the reports. The incident is of course a privacy issue, although I can't currently assess whether this is a problem in terms of the GDPR or security (e.g. if credentials are in a URL, or the URL contains personal data).

Disable "Follow creators" in Edge

Administrators should disable the follow feature via Group Policy in enterprise environments. There is the EdgeFollowEnabled policy in Edge (see also) that allows disabling the feature. One can also set in the registry the branches HKLM (system-wide) or HKCU (user-related) using the following registry branch:

\SOFTWARE\Policies\Microsoft\Edge

Add a 32-bit DWORD value EdgeFollowEnabled. A value of 0 should disable the service, and a value of 0x1 will enable the Follow service.

Alternatively, users can disable the Show Creator follow suggestions in Microsoft Edge using Settings. Choose the Privacy, Search and Services tab, and scroll down to Services. Toggle off the switch beside Show suggestions to follow creators in Microsoft Edge (see).


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in browser, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *