Edge's new creator-follow feature was the reason for the bug, and Microsoft says the data wasn't shared externally.
Microsoft Edge, the company's Chromium-based web browser, has now resolved the issue that saw it sending all URLs visited to its Bing API website.
A Reddit user, Hackermchackface, had noticed full URLs visited were showing up on bingapis.com, including locally hosted URLs and IP addresses, as reported by The Verge Tuesday.
Microsoft on Wednesday said it was investigating the issue, and on Thursday sent over an updated statement.
"We're aware of and have fixed an issue where Edge sent URL data to a Bing service in order to determine whether the 'follow' button feature could be enabled on a website," a Microsoft spokesperson told CNET in a statement. "This data was not used or shared outside of internally validating whether the follow button could work on a site and was not stored for further use."
Further investigation by Hackermchackface had found that the issue stemmed from Microsoft Edge's "follow content creator" feature. This feature lets people follow their favorite YouTubers and other content creators in Edge, receiving updates on their latest uploads. Previous versions of follow content creator would send URLs to Bing APIs only for websites that supported the feature, such as Pinterest, YouTube or Instagram. There's also a master filter to block certain URLs like WhatsApp, Pornhub and XNXX.
This issue seems to have popped up in Edge version 112.0.1722.34, released on April 7. Turning off this feature resolved the problem.
The feature is now enabled by default in Microsoft Edge, Rafael Rivera, a software engineer for the Ear Trumpet app, told The Verge, and was incorrectly "sending nearly every domain you visit to Bing."
Your browser history contains lots of personal information, including your interests, location, relationship status, financial status, medical condition and more. Cybercriminals could use this information to impersonate you and steal your identity, or for personalized phishing emails or other attacks. Data miners could also sell your information for use in targeted advertising.