Skip to main content

Microsoft’s Edge browser may be storing private browsing data

Microsoft’s Edge browser may be storing private browsing data

Share this story

When Microsoft’s Edge browser arrived this summer alongside Windows 10, it was seen as a major step forward, incorporating new features like Cortana Assist alongside tricks that had become popular elsewhere, like Reading List and the new InPrivate browsing mode.

But now, new research suggests that InPrivate may not be as private as it seems. According to an investigation by researcher Ashish Singh, websites visited from InPrivate can be easily recovered from a user’s hard drive by examining the WebCache file. Visited sites are stored in the same "Container_n" table that stores tab history from conventional browsing, the investigation found.

"We are committed to resolving this as quickly as possible."

By examining that table, an attacker would be able to reconstruct a user’s entire browsing history, whether in Private Mode or not. "The not-so-private browsing featured by Edge makes its very purpose seem to fail," Singh wrote in Forensic Focus.

Exploring the WebCache file on a Windows 10 computer, The Verge was able to partially confirm Singh’s results, recovering evidence of a site visited in private mode after the session had been closed. We were not able to locate the Container_n table or recover a complete web history from the Private Session, although it’s likely a trained professional would have more success.

Edge isn’t the first browser to run into this problem. In 2010, Stanford researchers found that private browsing modes in Firefox, Chrome, Safari and Internet Explorer were vulnerable to local attackers through a number of attacks. According to digital forensics specialist Lesley Carhart, it’s a common problem, and private modes are rarely built to protect against investigations of the user’s hard drive. "Private browsing has always left easily retrievable artifacts on disk and in memory," Carhart said. "It’s always been a privacy feature, not a security feature." Still, those attacks typically focus on more obscure traces, like site permissions or data collected for the autocompletion of partial URLs. Maintaining the history in WebCache would make that investigation unusually straightforward.

Reached for comment by The Verge, Microsoft confirmed it was investigating Singh’s findings. "We recently became aware of a report that claims InPrivate tabs are not working as designed," a Microsoft spokesperson said, "and we are committed to resolving this as quickly as possible."