Desktop browsers affected by ‘scheme flooding’ attacks

Desktop browsers affected by ‘scheme flooding’ attacks

The flaw can allow a site to assign users a permanent unique identifier and use this to trace their behavior across different browsers – even if they are using a VPN, private browsing session, or other privacy-preserving tools and techniques.

A vulnerability that can allow websites to identify and track users, bypassing privacy protections, is present in multiple major browsers, researchers have warned.

Dubbed ‘scheme flooding’, the issue has been present in browsers for at least five years – and despite the fact there is no evidence it is being actively exploited on a large scale, researchers warn that the issue is nevertheless a “violation of privacy”.

The vulnerability was identified by security researchers at FingerprintJS, who found that they were able to launch scheme flooding exploits in Chrome, Safari, Firefox, and Tor Browser.

Browsers can generate a 32-bit cross-browser device identifier by testing a list of 32 applications and checking if they are installed on a user’s device.

According to researchers, on average, the fingerprinting process takes a few seconds and works across desktop Windows, macOS, and Linux operating systems.

Custom URL scheme handling is used to check whether the application in question has been installed – this is used to allow a browser to open the app via a pop-up configuration box.

Explaining the steps needed to exploit the vulnerability, the researchers wrote:

Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.

Use this array to generate a permanent cross-browser identifier. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.
Bypassing protections
Today’s web browsers have built-in security mechanisms that are designed to protect users’ privacy. However, these mechanisms can be bypassed with scheme flooding.

Safari, Firefox, and Tor Browser, which is built on the Firefox codebase, are vulnerable due to the exploitation of the same-origin policy implementation. The blog post reads: “Every time you navigate to an unknown URL scheme, Firefox will show you an internal page with an error. This internal page has a different origin than any other website, so it is impossible to access it because of the same-origin policy limitation.

“On the other hand, a known custom URL scheme will be opened as about:blank, whose origin will be accessible from the current website.” The researchers added: “By opening a pop-up window with a custom URL scheme and checking if its document is available from JavaScript code, you can detect if the application is installed on the device.”

Chrome was the only browser that already has some protections against scheme flooding, but even this can be bypassed. The FingerprintJS researchers noted that the issue has been flagged by the Chromium bug tracker and will be fixed soon. Interestingly, although Tor Browser – which was built to offer enhanced anonymity for privacy-conscious users – is vulnerable, it took researchers much longer to exploit it.

The News Highlights

  • Desktop browsers affected by ‘scheme flooding’ attacks
  • Check the latest update on Gadgets news
Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more

For Latest News Follow us on Google News


Latest Headlines
  • Show all
  • Trending News
  • Popular By week
The Financial Law Forum Episode 4 – Promoting Financial Equality: Congressional Appropriation of Billions to Small Financial Institutions Can Reduce the Wealth Gap (Podcast) – Finance and Banking

The Financial Law Forum Episode 4 – Promoting Financial Equality: Congressional Appropriation of Billions to Small Financial Institutions Can Reduce the Wealth Gap (Podcast) – Finance and Banking

Over the last few months, the COVID-19 crisis has disproportionately affected small and minority-owned businesses across the country, many of which found the ...
How to prevent packages from being updated using apt

How to prevent packages from being updated using apt

For example, say you’ve built a web application that uses PHP 7.4 and you know that upgrading to PHP 8 might break the entire system—you certainly don’t want ...
Coho Partners Welcomes Cindy Lewis as Chief Financial Officer |  The business

Coho Partners Welcomes Cindy Lewis as Chief Financial Officer | The business

Coho Partners Ltd., founded in 1999, is an independent, employee-owned investment management firm headquartered in Berwyn, Pennsylvania. As of March 31, 2021, ...
Inside the $ 7 billion merger of Sequoia Financial and Wealthstone Advisors

They charge an electric car for 10 minutes for a mileage of 800 km

Rachid Yazami uses a method called “nonlinear voltammetry” (NLV), which regulates voltage at different levels, similar to the steps of a ladder. At a ...
This $2,700 robot dog will carry a single bottle of water for you

Biden says he is open to swapping cybercriminals with Putin

“I was told as I was flying here, that said that,” Biden added. “I think that is potentially a good sign of progress.” Recommended An increasing ...
'I want a solution to this problem' |  Business owner in downtown Austin reacts to implementation of camping ban

Relite Finance announces that its RELI token will begin trading on PancakeSwap today

Relite Telegram Community Relite Finance is Venture-backed by Master Ventures, GD10 Ventures, AU21 Capital, A195, Blocksync Ventures, Rarestone Capital, Spark ...
These investment mistakes will cost you money

Swedish Stability Council says rising house prices are a risk to the financial system

Source www.reuters.com Price increases have been driven by low rates and factors like working-from-home during the pandemic, the board, which consists of ...
Goldman expands into encryption business with plans for Ether options

Goldman expands into encryption business with plans for Ether options

In May, Goldman led the $15 million investment into Coin Metrics, a cryptocurrency and blockchain data provider to institutional clients, and McDermott joined ...
Apollo Commercial Real Estate Finance, Inc. Announces Senior Secured Notes Offer

Apollo Commercial Real Estate Finance, Inc. Announces Senior Secured Notes Offer

Forward-Looking StatementsCertain statements contained in this press release constitute forward-looking statements as such term is defined in Section 27A of ...
Nike Hayward Field Collection 2020 USA Olympic Trials

Nike Hayward Field Collection 2020 USA Olympic Trials

Nike React Infinity Run 2 Release Date: 2021 Color: N/A Make sure to follow @kicksfinder for live tweets during the release date. ...
Show next
Compsmag - Latest News from tech, business and health
Logo