Tor Browser 10.0.18 fixes a bug that allows to track users by fingerprinting installed apps

The Tor Project released Tor Browser 10.0.18 that addresses a flaw that allows sites to track users by fingerprinting the installed apps.

The Tor Project has released Tor Browser 10.0.18, the new version of the popular browser addresses multiple flaws, including a vulnerability that could be exploited to track users by fingerprinting the applications installed on the users’ devices.

“This version updates Tor to 0.4.5.9, including important security fixes. In addition, on Android, this version updates Firefox to 89.1.1, and NoScript to 11.2.8 This version includes important security updates to Firefox for Android.” reads the announcement published by the Tor Project.

The technique of tracking users by fingerprinting the applications installed by the user was documented by FingerprintJS experts in May. The researchers devised a new fingerprinting technique, named scheme flooding, that could allow identifying users while browsing websites using different desktop browsers, including the Tor Browser.

The technique allows to profile users while visiting websites with an ordinary browser, such as Safari, Chrome, and Firefox, and identify their online activity even when they attempt to protect their anonymity using the Tor browser.

The scheme flooding technique leverages custom URL schemes to determine the applications installed by the users

“The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.” reads the post published by FingerprintJS. “The scheme flooding vulnerability allows for third party tracking across different browsers and thus is a violation of privacy.”

The scheme flooding vulnerability could be exploited by an attacker to generate a 32-bit cross-browser device identifier that tests the presence of a list of 32 popular applications on the visitors’ system.

Experts pointed out that the analysis of the list of installed applications on your device can allows to discover your habits and other info like occupation and age.

The experts could check if an application is installed using built-in custom URL scheme handlers, for example, by entering skype:// in the address bar of the browser is possible to check the installation of Skype.

To exploit the technique experts provides the following procedure:

1. Prepare a list of application URL schemes that you want to test. The list may depend on your goals, for example, if you want to check if some industry or interest-specific applications are installed.
2. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
3. Use this array to generate a permanent cross-browser identifier.
4. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.

Even if most browsers implements safety mechanisms to prevent such exploits, a combination of CORS policies and browser window features can be used to bypass them.

The experts successfully tested the technique on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera was not tested.

In the case of the Tor browser, this kind of issue is very dangerous because could be exploited by threat actors to unmask Tor users. As this vulnerability tracks users across browsers, it could allow websites, and even law enforcement, to track a user’s real IP address when they switch to a non-anonymizing browser, such as Google Chrome.

The development team behind the Tor Browser has addressed the flaw by setting the ‘network.protocol-handler.external’ to false in order to prevent the browser from invoking an external application once a built-in custom URL scheme handler is processed.

Tor Project also reminds us that Tor Browser will stop supporting version 2 onion services later this year and is recommending administrators of services to migrate them and update their bookmarks to version 3 onion services as soon as possible.

Users can check for and install any new updates by opening the menu, going to Help, and selecting About Tor Browser.

You can also download the latest browser from the Tor Browser download page and the distribution directory.