Tor has released Tor Browser 10.0.18, addressing multiple flaws, including a vulnerability that could be exploited to track users by fingerprinting the applications installed on the users’ devices.
The technique of tracking users by fingerprinting the applications installed by the user was documented by FingerprintJS experts.
The researchers devised a new fingerprinting technique, named scheme flooding, that could allow identifying users while browsing websites using different desktop browsers, including the Tor Browser.
The technique allows to profile users while visiting websites with an ordinary browser and identify their online activity even when they attempt to protect their anonymity using the Tor browser.
The scheme flooding technique leverages custom URL schemes to determine the applications installed by the users. The scheme flooding vulnerability could be exploited by an attacker to generate a 32-bit cross-browser device identifier that tests the presence of a list of 32 popular applications on the visitors’ system.
Experts pointed out that the analysis of the list of installed applications on your device can allows to discover your habits and other info like occupation and age. The experts could check if an application is installed using built-in custom URL scheme handlers, for example, by entering skype:// in the address bar of the browser is possible to check the installation of Skype.
Even if most browsers implements safety mechanisms to prevent such exploits, a combination of CORS policies and browser window features can be used to bypass them.
As this vulnerability tracks users across browsers, it could allow websites, and even law enforcement, to track a user’s real IP address when they switch to a non-anonymizing browser, such as Google Chrome.
The development team behind the Tor Browser has addressed the flaw by setting the ‘network.protocol-handler.external’ to false in order to prevent the browser from invoking an external application once a built-in custom URL scheme handler is processed.