The vulnerability affects top browsers including Chrome, Firefox, Safari, and even Tor.
It is not unusual for a user to switch between using different browsers for different browsing activities and those who have made this into a routine may even be at risk because a security researcher and developer at FingerprintJS, Konstatin Darutkin, recently discovered a vulnerability that allows websites to track users across different browsers.
This not only poses a threat to cross-browser anonymity but also allows websites to identify users reliably across different desktop browsers and link their identities together.
This flaw is referred to as “scheme flooding” and affects various browsers including:
- Apple’s Safari
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Tor browser
The vulnerability allows an attacker to determine which applications someone has installed by generating a 32-bit cross-browser device identifier that a website can use to test a list of 32 popular applications.
This tracking across different browsers is done by querying the installed applications on the device because certain applications, when installed, will create custom URL schemes that the browser can use to launch a URL in a specific application.
If that specific application is launched, it means that that application is installed and then a profile of the applications installed on a device can be built, compromising cross-browser anonymity. By checking for different URL handlers, a script can use the detected applications to build a unique profile for your device.
Currently, from amongst the four major browsers tested, only Google Chrome has been known to previously have added mitigations to prevent this type of attack from taking place and its developers are the only ones who have acknowledged that this vulnerability exists so far, the researcher noted in their blog post.
However, Darutkin discovered that there was a loophole in this as well. Triggering a built-in Chrome extension, such as the Chrome PDF Viewer, bypasses this mitigation.
Microsoft Edge Program Manager Eric Lawrence has acknowledged the attack while Chromium and Microsoft engineers are working on a fix in a new bug report.
Until browsers add working mitigations for this attack, the only way to prevent this method of cross-browser tracking is to use a browser on a different device.
The exact steps to make the scheme flooding vulnerability possible may vary by browser, but the end result is the same. Getting a unique array of bits associated with a visitor’s identity is not only possible but can be used on malicious websites in practice. Until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether, Darutkin concluded.