Scheme flooding fingerprint technique may deanonymize Tor users

FingerprintJS experts devised a fingerprinting technique, named scheme flooding, that could allow identifying users across different desktop browsers, including the Tor Browser.

FingerprintJS experts devised a new fingerprinting technique, named scheme flooding, that could allow identifying users while browsing websites using different desktop browsers, including the Tor Browser.

The technique allows to profile users while visiting websites with an ordinary browser, such as Safari, Chrome, and Firefox, and identify their online activity even when they attempt to protect their anonymity using the Tor browser.

The scheme flooding technique leverages custom URL schemes to determine the applications installed by the users

“The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.” reads the post published by FingerprintJS. “The scheme flooding vulnerability allows for third party tracking across different browsers and thus is a violation of privacy.”

The scheme flooding vulnerability could be exploited by an attacker to generate a 32-bit cross-browser device identifier that tests the presence of a list of 32 popular applications on the visitors’ system.

Experts pointed out that the analysis of the list of installed applications on your device can allows to discover your habits and other info like occupation and age.

The experts could check if an application is installed using built-in custom URL scheme handlers, for example, by entering skype:// in the address bar of the browser is possible to check the installation of Skype.

To exploit the technique experts provides the following procedure:

1. Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed.
2. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
3. Use this array to generate a permanent cross-browser identifier.
4. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.

Even if most browsers implements safety mechanisms to prevent such exploits, a combination of CORS policies and browser window features can be used to bypass them.

The experts successfully tested the technique on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera was not tested.

“The exact steps to make the scheme flooding vulnerability possible may vary by browser, but the end result is the same. Getting a unique array of bits associated with a visitor’s identity is not only possible, but can be used on malicious websites in practice. Even Tor Browser can be effectively exploited by tricking a user into typing one character per application we want to test.” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

[adrotate banner=”5″]

[adrotate banner=”13″]