This post is also available in: עברית (Hebrew)
This last summer Microsoft’s Internet Explorer was superseded by the shiny and new Microsoft Edge browser, and everyone rejoiced. The aging IE, fraught with security vulnerabilities, clunky interface, and outdated technologies was long reviled in the tech community as a source of headaches and as a security nightmare.
Edge came out with a new list of long-awaited features, among them Microsoft’s own Cortana Assistant, and features that have already become nearly standard, like Reading List or a private browsing mode, InPrivate.
Unfortunately, it appears the new privacy feature may not be so private after all. According to research by security expert Ashish Singh, it is almost trivial to recover websites visited in InPrivate mode from a user’s hard drive. All one has to do is examine the WebCache file, from which an attacker could reconstruct a user’s entire browsing history. “The not-so-private browsing featured by Edge makes its very purpose seem to fail,” Singh wrote in Forensic Focus.
This problem is not unique to Edge, as back in 2010 researchers at Stanford demonstrated that Firefox, Chrome, Safari, and good ol’ Internet Explorer were all vulnerable to local attackers. Digital forensics specialist Lesley Carhart says it’s a common problem, as private modes are not usually built to protect against attackers with physical access to a user’s hard drive. “Private browsing has always left easily retrievable artifacts on disk and in memory,” Carhart said. “It’s always been a privacy feature, not a security feature.”
What distinguishes this particular instance is the ease of the attack. Previous attacks relied on obscure traces, like traces of URL autocompletion or permissions. A user’s entire history being available in the WebCache file makes this attack particularly easy to execute, and far more straightforward for an even intermediately knowledgeable person.
“We recently became aware of a report that claims InPrivate tabs are not working as designed,” a Microsoft spokesperson told The Verge when approached for comment, “and we are committed to resolving this as quickly as possible.”