Microsoft shrugs off report that Edge can expose user identities from Fetch requests
An independent security researcher claims to have uncovered a security flaw in Microsoft Edge.
The issue enables any website to identify a user by his username from another website, according to Ariel Zelivansky. More specifically the researcher alleges that Edge exposes the URL of any Fetch response, in contradiction to the specification. This is a problem because it’s possible to identify users by crafting a Fetch request to a URL that will redirect to a URL with the user’s username (e.g. https://facebook.com/me to https://facebook.com/username).
Zelivansky approached Microsoft but the software giant dismissed the issue. El Reg requested a comment only to be told that Redmond had nothing to add beyond its response to Zelivansky.
The security researcher went public with his findings and contacted The Reg after Redmond decided the issue didn’t merit patching earlier this month. The issue has spawned a discussion thread on Reddit. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/20/ms_edge_vuln_dispute/