Vulnerability in popular browsers could be used to track, profile users online

A vulnerability affecting desktop versions of four popular web browsers could be exploited by advertisers, malicious actors, and other third parties to track and profile users online even if they switch browsers, use incognito mode or a VPN, researcher and developer Konstantin Darutkin claims.

Scheme flooding

Darutkin and his colleagues from FingerprintJS are calling the vulnerability and its exploitation “scheme flooding,” as attackers (i.e., websites) can use browsers’ built-in custom URL scheme handlers to check if site visitors have 32 different applications installed on their desktops.

“You can see this feature in action by entering skype:// in your browser address bar. If you have Skype installed, your browser will open a confirmation dialog that asks if you want to launch it,” he explained.

Websites, such as their own live demo site, can flood the user with URL scheme requests for detecting the presence of widely used apps – such as Spotify, Zoom, Slack, Telegram, Discord, Steam, Xcode, Microsoft Word, NordVPN, Hotspot Shield, and others – and cancel those requests as soon as an app is detected as present or absent.

The information gathered from these requests can be used to create a permanent unique identifier that can link browsing identities together.

“The scheme flood vulnerability allows for targeted advertisement and user profiling without user consent. The list of installed applications on your device can reveal a lot about your occupation, habits, and age. For example, if a Python IDE or a PostgreSQL server is installed on your computer, you are very likely to be a backend developer,” Darutkin explained.

Or, for example, if the user has game clients installed, advertisers can push ads related to online games.

“Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes. For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous,” he also pointed out.

Which browsers are affected?

FingerprintJS researchers tested Chrome, Firefox, Safari and the Tor Browser and found them to be vulnerable to this type of attack – despite implemented safety mechanisms.

“A combination of CORS policies and browser window features can be used to bypass [the safety mechanisms],” Darutkin said.

“Of the four major browsers impacted, only Chrome developers appear to be aware of the scheme flooding vulnerability. The issue has been discussed on the Chromium bug-tracker and is planned to be fixed soon. Additionally, only the Chrome browser had any form of scheme flood protection which presented a challenge to bypass.”

The Register also successfully tested the technique on Brave, Yandex Browser and Microsoft Edge.

Should we worry about this?

“Getting a unique array of bits associated with a visitor’s identity is not only possible, but can be used on malicious websites in practice,” Darutkin noted, though he says that they did a quick search of the web and didn’t find any website actively exploiting the vulnerability.

Still, the researchers’ write-up could push some to use the scheme to track users online.

The team has submitted bug reports to Apple, Google and Mozilla, and hopes these vulnerability can be fixed soon. Let’s hope that other browser creators will follow suit.