FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it had identified a more questionable fingerprint technique capable of generating a consistent identity with others’ t other desktop browsers, including Tor Browser.
That means, for example, if you’re browsing the web using Safari, Firefox, or Chrome for certain websites, and use the Tor browser to anonymously view others, there’s a chance that someone will link to your browser history on all those sessions with a unique identity, potentially deononymize you, and track you on the web.
Doing so is not trivial, it can be very inaccurate or unreliable, and so it is more of a headache than anything.
Konstantin Darutkin, senior software engineer at FingerprintJS, told a blog post which the company called the privacy vulnerability “scheme flooding.” The name refers to abuse custom URL schemes, which produces web links such as “skype: //” or “slack: //” prompts the browser to open the associated application.
“The flood vulnerability in the scheme allows an attacker to determine which applications you have installed,” Darutkin explains. “To generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not.”
Visiting schemeflood.com the site that uses a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using an initial population list of likely apps. A browser user will typically see a permission modal pop-up window that says something like, “Open Slack.app? A website wants to open this application. [canel] [Open Slack.app]. “
But in this case, the demo script cancels only if the app is present or reads the error as confirmation of the absence of the app. It displays the icon of the requested app if found, and proceeds to the next query.
The script uses each app result as bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, violating privacy expectations.
The method was successfully tested on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera has not been tested.
The register first did not get a result from Safari on macOS Big Sur because the test failed to complete. Ironically, given what’s going on Epic v. Apple trial so far, the Safari test is frozen when it doesn’t see “com.epicgames.launcher: // test”. But after clearing cookies and storage in Safari, managed to run the demo PoC and generate a consistent fingerprint.
There have been several reports of inconsistent results and Darutkin acknowledged that browser settings / flags, slow hardware or VMs, a slow internet connection, or user behavior during the PoC demo could rot the app number.
The various affected browsers are supposed to defend against flooding the scheme but they don’t. “Weaknesses in these mechanisms for safety are what make this vulnerability possible,” Darutkin explains. “A combination of CORS policies and browser window features can be used to bypass this.”
For example, Chrome, alone among major browsers, has implemented schema flood protection that requires user interaction to launch a custom method resource. However, Chrome extensions are not dependent on this policy because they need to open custom URLs such as “mailto: //” links without contact. So opening a PDF file with the built-in Chrome PDF Viewer extension resets the flood prevention flag and allows the number of abusive apps.
The issue has been reported to the Chromium team who are currently looking for ways to address the issue.
In Firefox and Safari, schema flooding works because the browser loads different internal pages depending on whether the requested app is present or not, which is all the information needed for that bit in 32-bit and app-count identifier. The situation is similar for the Tor browser, which is based on Firefox code, but requires the use of iframe elements to check the app’s existence – and time as well. It can take a few minutes to fingerprint a user.
As far as browser fingerprinting goes, apps aren’t required when a visit to a website can be disclosed a large number of software and hardware features But browser makers must address flooding in the scheme.
“FingerprintJS does not exploit this vulnerability in our products and does not provide third-party tracking services. We are committed to stopping fraud and support modern privacy trends for the complete elimination of tracking. third-party. We believe that vulnerabilities like this should be discussed in the open to help browsers fix them as quickly as possible. “®
Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of knews.uk and knews.uk does not assume any responsibility or liability for the same.