Desktop Browsers At Risk Due to a Tracking Flaw that Can Avoid Privacy Tools
“Scheme Flooding” Vulnerability Allows Websites to Track Users Across Several Desktop Browsers.
A FingerprintJS security specialist brought to light a flaw that permits websites to track users across a number of different desktop browsers such as Apple Safari, Google Chrome, Microsoft Edge, Mozilla Firefox, and Tor, representing a big threat to cross-browser anonymity.
A new vulnerability report by FingerprintJS’ Konstantin Darutkin states:
Cross-browser anonymity is something that even a privacy-conscious internet user may take for granted. Tor Browser is known to offer the ultimate in privacy protection, though due to its slow connection speed and performance issues on some websites, users may rely on less anonymous browsers for their everyday surfing.
The vulnerability can allow a site to allocate users a perpetual distinctive identifier and employ this to identify behavior across different browsers – even if they are using a VPN, private browsing session, or other privacy-preserving tools and techniques.
Called the ‘scheme flooding’ technique, it leverages custom URL schemes to determine the applications installed by the users by creating a 32-bit cross-browser device identifier that a website can use to test a list of 32 popular applications.
This identification process takes a few seconds and works across desktop Windows, Mac, and Linux OS, Darutkin stated.
To attain this verification, browsers can utilize deep linking or built-in custom URL scheme handlers, which are usually used on mobile devices but also available on desktop browsers as well.
So if someone has Skype installed and types “skype://” in a browser address bar, the browser will open and ask if the user wants to launch Skype
Even if there is no proof that it is being actively exploited on a large scale, security specialists warn that the issue is a violation of privacy.
According to the researcher, to make this vulnerability possible, the following steps are required:
- Put together a list of application URL schemes that you want to test.
- Add a script on a website that will test each application from your list.
- Use this arrangement to create a permanent cross-browser identifier.
- You can optionally also use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.
You can consider these steps easy, but most browsers have safety mechanisms in place created to advert such exploits. Weaknesses in these safety mechanisms are what makes this vulnerability viable, the researcher said.
He added that Chrome offers some protection against this flaw, and its developers appear to be the only ones who so far have admitted that it exists.
Apparently, activating a built-in Chrome extension such as the Chrome PDF Viewer avoids this alleviation.
The built-in Chrome PDF Viewer is an extension, so every time your browser opens a PDF file it resets the scheme flood protection flag. Opening a PDF file before opening a custom URL makes the exploit functional.
Darutkin’s scheme flooding vulnerability currently checks for applications such as Skype, Spotify, Zoom, vscode, Epic Games, Telegram, Discord, Slack, Steam, Battle.net, Xcode, NordVPN, Sketch, Teamviewer, Microsoft Word, WhatsApp, Postman, Adobe, Messenger, Figma, Hotspot Shield, ExpressVPN, Notion, and iTunes.
According to Darutkin, until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether.