They discovered a vulnerability that allows user tracking, even if you use Tor

Few days ago FingerprintJS made a post blog in which tells us about a vulnerability that was discovered for them and what is allows websites to reliably identify users in various browsers, of which only desktop browsers are affected.

It is mentioned that the vulnerability uses information about installed applications on the computer to assign a permanent unique identifier which, even if the user changes browsers, uses incognito mode or a VPN, it will always be present.

Since this vulnerability allows third-party tracking in different browsers, it constitutes a privacy violation and even though Tor is a browser that offers the ultimate in privacy protection, it is also affected.

According to FingerprintJS, This vulnerability has existed for more than 5 years and its real impact is unknown. The schema flood vulnerability allows a hacker to determine the applications installed on the target's computer. On average, the identification process takes a few seconds and works on Windows, Mac and Linux operating systems.

In our research on anti-fraud techniques, we have discovered a vulnerability that allows websites to reliably identify users in different desktop browsers and link their identities. The desktop versions of Tor Browser, Safari, Chrome, and Firefox are affected.

We will refer to this vulnerability as Schema Flood, as it uses custom URL schemes as an attack vector. The vulnerability uses information about the applications installed on your computer to assign you a permanent unique identifier, even if you change browsers, use incognito mode, or use a VPN.

To check if an application is installed, browsers can use schema managers built-in custom URLs.

A basic example of this, it is possible to verify, since it is enough to just execute the following action by entering skype: // in the address bar of the browser. With this we can realize the real impact that this problem can have. This feature is also known as deep linking and is widely used on mobile devices, but it is also available on desktop browsers.

Depending on the applications installed on a device, it is possible for a website to identify people for more malicious purposes. For example, a site can detect an officer or military on the Internet based on installed applications and associating browsing history believed to be anonymous. Let's go over the differences between browsers.

Of the four main browsers affected, only chrome developers seem to be aware of schema flood vulnerability. The problem has been discussed in the Chromium bug tracker and should be fixed soon.

In addition, only chrome browser has some kind of schema flood protection, as it prevents any application from starting unless requested by a user action such as a mouse click. There is a global flag that allows (or denies) websites to open applications, which is set to false after manipulating a custom URL scheme.

On the other hand in Firefox when trying to navigate to an unknown url scheme, Firefox displays an internal page with an error. This internal page has a different origin than any other website, so it is not possible to access it due to the limitation of the identical origin policy.

As for Tor, the vulnerability in this browser, is the one that takes the longest to execute successfully as it can take up to 10 seconds for each app to verify due to Tor browser rules. However, the exploit can run in the background and track its target during a longer browsing session.

The exact steps to exploit the schema flood vulnerability may vary by browser, but the end result is the same.

Finally if you are interested in knowing more about it, you can check the details In the following link.


2 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Someone on the NET said

    Obviously I use Linux, and in Firefox it did show an ID, as in Vivaldi, but; in OPERA it did not work.

    It is concerning, and I don't know if there is any way to avoid it or to nullify it.

  2.   Cesar de los RABOS said

    <<>
    It would be necessary to see, in diverse scenarios ... how about an old old kernel distribution, a browser without updating and in a virtual machine!