Chrome, Firefox, Safari, and Tor Browser all affected by ‘scheme flooding’ attacks


A vulnerability that can allow websites to identify and track users, bypassing privacy protections, is present in multiple major browsers, researchers have warned.

The flaw can allow a site to assign users a permanent unique identifier and use this to trace their behavior across different browsers – even if they are using a VPN, private browsing session, or other privacy-preserving tools and techniques.

Dubbed ‘scheme flooding’, the issue has been present in browsers for at least five years – and despite the fact there is no evidence it is being actively exploited on a large scale, researchers warn that the issue is nevertheless a “violation of privacy”.

The vulnerability was identified by security researchers at FingerprintJS, who found that they were able to launch scheme flooding exploits in Chrome, Safari, Firefox, and Tor Browser.

Checking it out

Browsers can generate a 32-bit cross-browser device identifier by testing a list of 32 applications and checking if they are installed on a user’s device.

According to researchers, on average, the fingerprinting process takes a few seconds and works across desktop Windows, macOS, and Linux operating systems.

Custom URL scheme handling is used to check whether the application in question has been installed – this is used to allow a browser to open the app via a pop-up configuration box.


Read more of the latest browser security news


Explaining the steps needed to exploit the vulnerability, the researchers wrote:

  • Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed.
  • Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
  • Use this array to generate a permanent cross-browser identifier.
  • Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.

Bypassing protections

Today’s web browsers have built-in security mechanisms that are designed to protect users’ privacy. However, these mechanisms can be bypassed with scheme flooding.

Safari, Firefox, and Tor Browser, which is built on the Firefox codebase, are vulnerable due to the exploitation of the same-origin policy implementation.

The blog post reads: “Every time you navigate to an unknown URL scheme, Firefox will show you an internal page with an error. This internal page has a different origin than any other website, so it is impossible to access it because of the same-origin policy limitation.

“On the other hand, a known custom URL scheme will be opened as about:blank, whose origin will be accessible from the current website.”


DON’T FORGET TO READ What the FLoC? Everything you need to know about Google’s new ad tech that aims to replace third-party cookies


The researchers added: “By opening a pop-up window with a custom URL scheme and checking if its document is available from JavaScript code, you can detect if the application is installed on the device.”

Chrome was the only browser that already has some protections against scheme flooding, but even this can be bypassed. The FingerprintJS researchers noted that the issue has been flagged by the Chromium bug tracker and will be fixed soon.

Interestingly, although Tor Browser – which was built to offer enhanced anonymity for privacy-conscious users – is vulnerable, it took researchers much longer to exploit it.

Mitigations

To protect against the vulnerability, the researchers noted that “until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether”.

The Daily Swig has reached out to developers at Chrome, Firefox, Safari, and Tor Browser for more information of when a fix will be available.


YOU MAY ALSO LIKE Google and Mozilla unveil plans to bake HTML sanitization into their browsers