Tor users, beware: 'Scheme flooding' technique may be used to deanonymize you

By probing for installed apps with custom URL schemes, it's possible to build a 32-bit unique fingerprint

FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser.

That means, for example, if you browse the web using Safari, Firefox, or Chrome for some websites, and use the Tor browser to anonymously view others, there is a possibility someone could link your browser histories across all those sessions using a unique identifier, potentially deanonymize you, and track you around the web.

Doing this is non-trivial, it can be very inaccurate or unreliable, and so this is more of a heads up than anything else.

Konstantin Darutkin, senior software engineer at FingerprintJS, said in a blog post that the company has dubbed the privacy vulnerability "scheme flooding." The name refers to abusing custom URL schemes, which make web links like "skype://" or "slack://" prompt the browser to open the associated application.

"The scheme flooding vulnerability allows an attacker to determine which applications you have installed," explains Darutkin. "In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not."

Visiting the site using a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using a pre-populated list of likely apps. A browser user would typically see a pop-up permission modal window that says something like, "Open A website wants to open this application. [canel] [Open]."

But in this case, the demo script just cancels if the app is present or reads the error as confirmation of the app's absence. It then displays the icon of the requested app if found, and moves on to its next query.

The script uses each app result as a bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, which violates privacy expectations.

The technique has been successfully tested on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera was not tested.

The Register initially could not get a result from Safari on macOS Big Sur because the test failed to complete. Ironically, given what's going on in the Epic v. Apple trial at the moment, the Safari test froze when it could not find "com.epicgames.launcher://test". But after clearing cookies and storage in Safari, we did manage to run the demo PoC and generate consistent fingerprint.

There have been some reports of inconsistent results and Darutkin has acknowledged that browser settings/flags, slow hardware or VMs, a slow internet connection, or user gestures during the PoC demo may skew the app count.

The various affected browsers should defend against scheme flooding but they don't. "Weaknesses in these safety mechanisms are what makes this vulnerability possible," explains Darutkin. "A combination of CORS policies and browser window features can be used to bypass it."

For example, Chrome, alone among the major browsers, has implemented scheme flood protection that requires user interaction to launch a custom scheme resource. However, Chrome extensions aren't bound by this policy because they need to be able to open custom URLs like "mailto://" links without interaction. So opening a PDF file with the built-in Chrome PDF Viewer extension resets the scheme flood prevention flag and enables the abusive app count.

The issue has been reported to the Chromium team which is currently looking at ways to address the problem.

In Firefox and Safari, scheme flooding works because the browser loads different internal pages depending upon whether the requested app is present or absent, which is all the information needed for that bit in the 32-bit app-count identifier. The situation is similar for the Tor browser, which is based on Firefox code, but requires the use of iframe elements to check app presence – and also time. It can take minutes to fingerprint a user.

As far as browser fingerprinting goes, counting apps isn't necessary when visiting a website can reveal a large number of software and hardware characteristics. But browser makers should address scheme flooding nonetheless.

FingerprintingJS includes this disclaimer with Darutkin's blog post to clarify that the sort of fingerprinting enabled by its JavaScript library is not the same as the fingerprinting made possible with the scheme flooding vulnerability:

"FingerprintJS does not use this vulnerability in our products and does not provide third-party tracking services. We focus on stopping fraud and support modern privacy trends for removing third-party tracking entirely. We believe that vulnerabilities like this one should be discussed in the open to help browsers fix them as quickly as possible." ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022