Security researchers found websites can track desktop users across Apple Safari, Google Chrome, Mozilla Firefox and Tor browser through Scheme Flooding

According to a discovery made by a web security researcher, a vulnerability can allow websites to track their users across different desktop browsers. These browsers, Apple Safari, Google Chrome, Mozilla Firefox and Tor, possess a threat to cross browsing confidentiality.

Custom URL schemes are used by the vulnerability as an attack vector. It can assign a user their own permanent unique identifier using information related to the installed applications on computer. This won’t stop even if the user switches browser or uses a private mode or access internet through VPN.

Cross browser anonymity is something taken for granted by a lot if privacy-savvy users, claims Konstantin Darutkin of Fingerprintjs, in his blog post. He added that a website exploring the scheme flooding vulnerability can create a unique and stable identifier that can link the browsing behavior together.

Darutkin further explained that people prefer Tor browser because of its known ultimate privacy protection, however it is not as fast or high performing as compared to other browsers so the user should opt to use Firefox, Safari or Chrome for some sites and should use Tor while getting engaged in some anonymous browsing but the flaw can blow the confidentiality out.

The vulnerability can allow the attacker to determine the applications installed by someone through the 32 bit cross browser device identifier used by a website to test the list of 32 most popular applications. This identification process only takes a few seconds to show results and works across Mac, Linux OS and Windows devices.

To get this verification done, browsers use a built-in custom URL scheme handler commonly called deep linking. This feature is illustrated such as if the user has Skype available on the device, and if the user searches it on browser through the address bar, the browser will open itself and will ask the user if they want to continue on the app. Any installed applications can register its own scheme that will allow other apps to open it.

Exploiting the vulnerability is a 4 steps procedure which includes preparation of a list of app URL scheme to test followed by adding a script to test the apps. Use the array for generating permanent cross browser identifier. And use of algorithms in guessing the occupation, age and interests using data from installed applications.

All the well known browsers have a mechanism in place that helps to prevent exploitation of such flaws that allows the scheme flooding to work, Darutkin added that some protection is offered by Chrome against the vulnerability and its seems to be the only browser to acknowledge the threat. Chrome prevents to launch any application unless it is requested by the user gesture such as a mouse click. There is a global flag that denies or allows the website to open apps which is adjusted to false after handling the custom URL scheme. While Chrome is taking measures against the vulnerability, it is found that Safari has no scheme flooding protection, which allows the exploits to enumerate all installed applications.

The researcher told that the report of bugs has been submitted to the developers of Chrome, Safari and Firefox and he even published a demo for the exploit of all data with a hope that fixes are imminent.

Read next: Most Health Apps Mine A Lot Your Data, Here Are the Ones That Don’t

Previous Post Next Post