A vulnerability dubbed Scheme Flooding that can allow websites to identify and track users, bypassing privacy protections, is present in multiple major browsers, Chrome, Safari, Firefox, and Tor Browser.
The flaw can allow a site to assign users a permanent unique identifier and use this to trace their behavior across different browsers even in private browsing session, But there is no evidence it is being actively exploited on a large scale, researchers warn that the issue is nevertheless a “violation of privacy”.
Browsers can generate a 32-bit cross-browser device identifier by testing a list of 32 applications and checking if they are installed on a user’s device. This fingerprinting process takes a few seconds and works across desktop Windows, macOS, and Linux operating systems.
Custom URL scheme handling is used to check whether the application in question has been installed – this is used to allow a browser to open the app via a pop-up configuration box.
Explaining the steps needed to exploit the vulnerability, the researchers wrote:
- Prepare a list of application URL schemes that you want to test for example, if you want to check if some industry or interest-specific applications are installed.
- Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
- Use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.
Browsers have built-in security mechanisms that are designed to protect users’ privacy. They are Vulnerable due to exploitation of same-origin policy implementation However, these mechanisms can be bypassed with scheme flooding
Chrome was the only browser that already has some protections against scheme flooding, but even this can be bypassed. The FingerprintJS researchers noted that the issue has been flagged by the Chromium bug tracker and will be fixed soon.
Tor Browser was built to offer enhanced anonymity for privacy-conscious users is vulnerable, it took researchers much longer to exploit it.
To protect against the vulnerability, the researchers noted that “until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether”.