back to article Microsoft shrugs off report that Edge can expose user identities from JS Fetch requests

An independent researcher claims to have uncovered a security flaw in Microsoft Edge. The issue enables any website to identify someone by their username from another website, according to Ariel Zelivansky. More specifically the bod alleges that Edge exposes the URL of any JavaScript Fetch response, in contradiction to the …

  1. djstardust

    It's not really a problem

    As no-one actually uses Edge.

    If they do they need their head examined.

    1. Planty Bronze badge

      Re: It's not really a problem

      I did find someone using it once. However they thought they were using Chrome, but Windows 10 had decided to reset all the privacy and browser settings and take over control again....

      1. VinceH
        Unhappy

        Re: It's not really a problem

        ^This.

        I've encountered a handful of people who were using a particular browser (be that Chrome, Firefox, etc) on a previous version of Windows, but on 10 were using Edge and didn't even realise. Some were aware that something had changed about the way "the internet" works, but that was it.

      2. Anonymous Coward
        Anonymous Coward

        Re: It's not really a problem

        Doesnt all this imply there is no real difference between Edge and Chrome (or whatever) ? If they are using it without realising, then.....

    2. bombastic bob Silver badge
      Big Brother

      Re: It's not really a problem

      "As no-one actually uses Edge."

      a) I wish you were right

      b) Sadly, I know that you're wrong

      c) They DO need their heads examined

      I'm sure the data harvesters and miners will take full advantage of this "feature" for as long as its available, then cache the information, and use it to target ads, etc..

      Apparently a reddit user name can also be discovered (see 1st entry on the reddit thread mentioned in the article)

      URLs shouldn't even REDIRECT to information that's a potential security/privacy problem. Sounds like time for another RFC.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not really a problem

        "Sounds like time for another RFC."

        Not much point if the problem was down to MS ignoring them in the first place.

    3. asdf

      Re: It's not really a problem

      >As no-one actually uses Edge.

      No but AFAIK you still have it and even worse the version of Adobe flash that ships with it sitting on your hard drive if you use Windows 10 which is getting harder and harder to avoid in crappy Windows land. Pretty funny how often Secunia flags that garbage code (as it rightly should).

    4. EnviableOne

      Re: It's not really a problem

      https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0

      about 14% market share is a lot of head examining

      Most of the el reg readers wont but userland peoples dont really know how or care to change the default browser (every time w10 decides to change it back for no apparent reason)

      1. Anonymous Coward
        Meh

        Re: It's not really a problem

        To be fair, they will soon be back to using Chrome once they update Java or Flash, when they choose default settings and you end up with McAffee and Chrome, even if you don't want it.

  2. Anonymous Coward
    Anonymous Coward

    Titanic the unsinkable

  3. Anonymous Coward
    Anonymous Coward

    HTTP became a can of worms...

    .... layers over layers in the desperate attempt of making web applications usable. Reinventing the wheel each time, and opening holes while slurping user data...

    1. Anonymous Coward
      Anonymous Coward

      Re: HTTP became a can of worms...

      being picky, but it Javscript that's the issue, not http.

  4. Anonymous Coward
    Anonymous Coward

    Is this a bug or a feature?

    I'm going to go with feature as it would be very useful for anyone who has commandeered a server to get people's identification even if they are using tor or a vpn.

  5. gerritv

    The response from MS clearly states that they have queued it for a later fix, so not exactly dismissing the report.

    I guess the author was miffed that his discovery didn't merit MS dropping everything to fix the api.

    1. hplasm
      Meh

      How long is the queue?

      "The response from MS clearly states that they have queued it for a later fix, so not exactly dismissing the report."

      Later, as in 30 years+ ?

  6. Zippy's Sausage Factory
    Flame

    If you read MSDN blogs then this sort of attitude seems endemic to Microsoft: if it doesn't cause Microsoft employees a problem, then any reason they can find not to deal with the problem will do.

    "It's not a problem because you can only cause it if something else happens first"

    "It's not a problem because that's how it's designed, even though it violates the specification, because it needs to be compatible with Excel 3.0 or whatever"

    "It's not a problem because it's already on our fix list".

    Microsoft: the customer is never right.

    1. anothercynic Silver badge

      RE: Microsoft shrugs off report that Edge can expose user identities from Fetch requests

      This is *not* limited to Microsoft. Quite a few Opensource projects have exactly the same blind spot.

      1. Colin McKinnon

        Re: RE: Microsoft shrugs off report that Edge can expose user identities from Fetch requests

        > Quite a few Opensource projects have exactly the same blind spot

        ....but at least you can properly investigate the problem and fix it yourself if you so choose. And you're not paying for the poor service.

        1. Anonymous Coward
          Anonymous Coward

          Re: RE: Microsoft shrugs off report that Edge can expose user identities from Fetch requests

          And with Microsoft you can fix it by not using the browser. What's your point?

          1. Steve Davies 3 Silver badge
            Facepalm

            Re: RE: Microsoft shrugs off report that Edge can expose user identities from Fetch requests

            Yes, you can decide to not use their browser. Then along comes and update and wham bang, thank you maam and all your settings like default browser have been reset to what Nanny Microsoft thinks you want.

            And because they have in their esteemed wisdom decided to include (shudder) flash (shudder) there is little incentive for website designers/developers to retire it. a Doh Moment as after all everyone who used the internet is using Windows 10 aren't they? (well that's what MS want us to believe).

  7. cdrcat

    Are redirects used to return one-time security tokens?

    That would be a problem... The site cookies are sent (that is how it knows to redirect to the user name page).

  8. Mark Simon

    It’s a feature.

    I think Microsoft call this Telemetry.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like