Overview
A new fingerprinting vulnerability, named scheme flooding, can allow malicious web sites to deanonymize users across different desktop browsers.
Description
Security researchers at FingerprintJS announced a new fingerprinting vulnerability that can profile users across different desktop browsers. The vulnerability stems from the capability of custom URL schemes implemented on a malicious web site to determine the installed applications on users’ computers. This is due to the fact that custom URL schemes allow web links like skype:// or zoom:// to prompt the browsers to open the referenced applications.
For the users, FingerprintJS developed a live demo application (https://schemeflood.com) to check if their browsers are vulnerable to scheme flooding attacks and demonstrate how they can be uniquely identified across different browsers. The current demo application tests the presence of a list of 24 popular applications on the users’ devices. Upon determining the installed applications, each user is assigned a 32-bit unique identifier. An example run of the demo application is depicted in Figure 1. The source code of the this demo application is also available at GitHub.
However, the vulnerability is not limited to these 24 popular applications to profile users. Using built-in custom URL scheme handlers, attackers can check existence of any applications on users’ systems. According to the researchers, the following steps can be followed to exploit the user fingerprinting technique.
- Prepare a list of URL schemes for the applications of interest.
- Add a script on a website that will test each of these applications and return an array of boolean values to indicate the existence of these applications on a user’s system.
- Use the returned values on this array to generate a cross browser unique identifier.
- Optionally, use an algorithm to guess additional information on users, such as age, gender, occupation, interests etc.
Though not explicitly stated at the blog post, the vulnerability can also be exploited by third party plugins and add-ons installed on the web browsers.
According to the researchers, the vulnerability exists for almost 5 years. When the vulnerability was announced in May 2021, the desktop versions of Safari, Chrome, Firefox and Tor Browser were affected from it. However, recently Tor Browser issued an update (10.0.18) to fix the scheme flooding vulnerability.
Impact
Unsuspecting users can be uniquely identified across multiple browsers by malicious web sites or third party plugins and add-ons. The vulnerability also allow attackers to infer private information on users from the applications being used. Due to this inferred information, users of the vulnerable browsers could also fall victims of spear-phishing attacks.
Impact Summary
Category: User Profiling/Fingerprinting
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
Solution
To defend against possible attacks due to the scheme flooding vulnerability, privacy conscious users should check if their browsers are still vulnerable and update their browsers to most recent versions. As of this posts date (June, 2020), Tor Browser issued an update (10.0.18) to fix the scheme flooding vulnerability.
Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet.
Gary Kovacs
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- FingerprintJS Blog Post by Konstantin Darutkin
- Scheme Flooding Demo Website
- Source Code of the Demo Application for Scheme Flooding (GitHub)
To learn more about anonymous browsing and protecting your privacy, you could also read our articles What Is Tor? or How to Use Tor Safely?
