The flaw can allow a site to assign users a permanent unique identifier and use this to trace their behavior across different browsers – even if they are using a VPN, private browsing session, or other privacy-preserving tools and techniques.
A vulnerability that can allow websites to identify and track users, bypassing privacy protections, is present in multiple major browsers, researchers have warned.
Dubbed ‘scheme flooding’, the issue has been present in browsers for at least five years – and despite the fact there is no evidence it is being actively exploited on a large scale, researchers warn that the issue is nevertheless a “violation of privacy”.
The vulnerability was identified by security researchers at FingerprintJS, who found that they were able to launch scheme flooding exploits in Chrome, Safari, Firefox, and Tor Browser.
Browsers can generate a 32-bit cross-browser device identifier by testing a list of 32 applications and checking if they are installed on a user’s device.
According to researchers, on average, the fingerprinting process takes a few seconds and works across desktop Windows, macOS, and Linux operating systems.
Custom URL scheme handling is used to check whether the application in question has been installed – this is used to allow a browser to open the app via a pop-up configuration box.
Explaining the steps needed to exploit the vulnerability, the researchers wrote:
Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
Use this array to generate a permanent cross-browser identifier. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.
Today’s web browsers have built-in security mechanisms that are designed to protect users’ privacy. However, these mechanisms can be bypassed with scheme flooding.
Safari, Firefox, and Tor Browser, which is built on the Firefox codebase, are vulnerable due to the exploitation of the same-origin policy implementation. The blog post reads: “Every time you navigate to an unknown URL scheme, Firefox will show you an internal page with an error. This internal page has a different origin than any other website, so it is impossible to access it because of the same-origin policy limitation.
Chrome was the only browser that already has some protections against scheme flooding, but even this can be bypassed. The FingerprintJS researchers noted that the issue has been flagged by the Chromium bug tracker and will be fixed soon. Interestingly, although Tor Browser – which was built to offer enhanced anonymity for privacy-conscious users – is vulnerable, it took researchers much longer to exploit it.
The News Highlights
- Desktop browsers affected by ‘scheme flooding’ attacks
- Check the latest update on Gadgets news
For Latest News Follow us on Google News
- Show all
- Trending News
- Popular By week