A recent report from a cybersecurity researcher reveals that there’s presently a vulnerability that could allow threat actors to track user activity on different desktop browsers. Such browsers include Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and the Tor browser. The discovered flaw could compromise users’ anonymity across each of the mentioned browsers.
The discovered vulnerability is called “scheme flooding” and it can allow hackers to identify the targeted victim across different browsers. This was reported by Konstantin Darutkin, a security researcher at FingerprintJS.
The attack vector of the vulnerability is a custom URL scheme which is why the flaw is named that way (scheme flooding). By using data about the apps installed on the victim’s computers, the attacker could assign a permanent unique identifier. After that, even if the victim switches to a different browser, uses a VPN service, and/or uses the browser’s incognito mode, the hacker would still be able to track them.
According to the researcher, anonymity across browsers is something that even users who take online privacy and security seriously may not consider as a potential weakness. However, a site that users the scheme-flooding vuln can easily create a stable and permanent unique identifier that can allow keeping tabs on the user even when the latter starts using a different browser.
For example, some users may prefer to use the Tor browser for when they want to stay anonymous on the Internet because Tor has very strong privacy features. However, since Tor is a rather slow browser, the user may choose to use Firefox or Chrome for visiting sites on which staying anonymous isn’t such a high priority. However, if the scheme flooding vuln is exploited, the privacy and anonymity of Tor would no longer have any effect due to the use of the permanent unique identifier that works cross-browsers.
How the Vulnerability Can be Exploited
The security flaw can enable attackers to learn what apps are in the victim’s PC by using a 32-bit device identifier that works across-browsers. A malicious site can use this identifier to test which applications from a list of 32 popular apps are present on the user’s computer. This works on Windows, Linux OS, and macOS and takes only a couple of seconds.
The researcher explains that this is achieved by the browser through using custom built-in URL scheme handlers – something that is widespread among smartphones and tablets but can also be seen in desktop browsers.
This feature functions in the following way: if the user has a certain program installed on their PC (for instance Skype), if they type “skype://” in the browser URL bar and hit Enter, the browser will ask whether the user wants to start the Skype app. The same can be said about other apps as well.
The following are all the steps needed to successfully exploit the vulnerability:
- Create a list of application URL schemes (like the example with Skype) to test whether those apps are installed on the computer.
- Add a testing script in the site to figure out which of the apps are on the PC.
- Use this to create a unique identifier that works across different browsers.
- Optionally, use algorithms to find out more information about the user, including personal interests, age, occupation, etc., by using data from any of the apps that have been found to be installed on the computer.
Exploits Specific for Different Browsers
Most popular browsers already have built-in defenses that help prevent the exploitation of such types of weaknesses. However, this specific flaw can be exploited in each of the aforementioned browsers through scheme flooding. According to Darutkin, at the moment only Chrome developers have done any work to help protect the browser against this vulnerability and have acknowledged its existence.
The protection of Chrome prevents any app from starting unless the user requests it through a gesture (such as a mouse click). Also, Chrome globally prevents sites from automatically starting apps after a custom URL scheme is handled by the browser.
Darutkin also reports that Safari is apparently the easiest to compromise out of the aforementioned browsers which is rather surprising considering the overall focus on privacy and security that Apple has with regard to its products and software.
The researcher points out that Safari lacks any sort of scheme-flood defenses, making it quite easy to exploit this weakness in it.
Darutkin has already submitted reports concerning the bug to the developers of the vulnerable browsers and has also published a demonstration of how the bug can be exploited, hoping that the weakness will be fixed before a hacker tries to exploit it in the wild.