Skip links

Microsoft probes complaints of Edge leaking URLs to Bing

You might want to think twice before typing anything into Microsoft’s Edge browser, as an apparent bug in a recent release of Redmond’s Chromium clone appears to be funneling URLs you visit back to the Bing API.

The issue, identified by Redditor HackerMcHackface in the r/browsers subreddit last week, appears to be related to an opt-out content aggregation feature in Edge, called Collections, which offers suggestions for online creators that users may want to follow. 

However, beginning with Microsoft Edge build 112.0.1722.34, the Redditor notes that the default behavior had changed. In prior versions of Edge, they noted, the feature was limited to a subset of social media sites, including YouTube and Pinterest. Now the scope appears to be wider.

From what we can tell, it worked a bit like this: on whitelisted pages, the URL would be sent to the Bing API to determine whether a recommendation popup should be put in the browser. This recommendation would appear in the user’s address bar. If the user clicks through the popup, content from that creator would then be curated in Edge’s Collections feature.

However, as of the April 7, release of Edge, all URLs entered into the address bar appear to be sent to the Bing API, according to HackerMcHackface’s findings.

In response to questions, a Microsoft spokesperson told The Register it was “aware of reports, are investigating, and will take appropriate action to address any issues.”

The Register wasn’t able to independently confirm the bug. However, developer Rafael Rivera told The Verge that the feature was poorly implemented and didn’t appear to be functioning correctly.

If you’re worried about Edge leaking every page you visit to Bing, disabling the functionality by navigating to the “Privacy, search, and services” tab on the “Settings” page and unticking “Show suggestions to follow creators in Microsoft Edge” near the bottom of the page ought to mitigate the problem. However, if you’re really worried, you could always use another browser.

Despite offering a wealth of privacy toggles, Microsoft Edge hasn’t always had the greatest reputation for user’s privacy. In a 2020 paper, Trinity College professor Douglas Leith found that Edge was among the most invasive browsers on the market, partially due to the use of hardware identifiers.

That said, Edge is hardly the only browser to run into a privacy or security breaking bug in recent history. Earlier this month, Google released an emergency update to Chrome to address a zero-day vulnerability that could be exploited to hijack a user’s device. ®