‘Scheme Flooding’ Allows Websites to Track Users Across Browsers

A flaw that allows browsers to enumerate applications on a machine threatens cross-browser anonymity in Chrome, Firefox, Microsoft Edge, Safari and even Tor.

A security researcher has discovered a vulnerability that allows websites to track users across a number of different desktop browsers — including Apple Safari, Google Chrome, Microsoft EdgeMozilla Firefox and Tor — posing a threat to cross-browser anonymity.

Called “scheme flooding,” the flaw “allows websites to identify users reliably across different desktop browsers and link their identities together,” Konstantin Darutkin, a researcher and developer at FingerprintJS, said in a blog post published Thursday. FingerprintJS is the publisher of a well-known browser-fingerprinting API.

The vulnerability uses custom URL schemes as an attack vector — hence its name, he explained in the post. It can assign someone a permanent unique identifier using information about installed apps on that person’s computer — even if he or she switches browsers, uses incognito mode or accesses the internet through a VPN.

“Cross-browser anonymity is something that even a privacy-conscious internet user may take for granted,” Darutkin said in his post. “A website exploiting the scheme-flooding vulnerability could create a stable and unique identifier that can link those browsing identities together.”

For instance, someone may use the Tor browser because it’s known for being “the ultimate in privacy protection;” however, it’s not as fast or high-performing as other browsers, so someone may opt to use Safari, Firefox or Chrome for some sites, and Tor when engaging in anonymous browsing activities — but the bug blows that anonymity out of the water, Darutkin explained.

How It Works

The vulnerability allows an attacker to determine which applications someone has installed by generating a 32-bit cross-browser device identifier that a website can use to test a list of 32 popular applications. This identification process — which checks to see if each one is installed on a computer or not — takes a few seconds and works across desktop Windows, Mac and Linux OS, he said.

To achieve this verification, browsers can use built-in custom URL scheme handlers — also known as deep linking, which is widely used on mobile devices but also available on desktop browsers as well, Darutkin explained. The feature is illustrated like this: If someone has Skype installed and types “skype://” in a browser address bar, the browser will open and ask if the user wants to launch Skype, he said.

“Any application that you install can register its own scheme to allow other apps to open it,” Darutkin said.

Exploiting the vulnerability takes four steps:

  • Prepare a list of app URL schemes to test;
  • Add a script on a website that will test each app;
  • Use this array to generate a permanent cross-browser identifier;
  • And, as an option to glean more info about a website visitor, use algorithms to guess that user’s occupation, interests and age using installed application data.

“The actual implementation of the exploit varies by browser, however, the basic concept is the same,” Darutkin explained. “It works by asking the browser to show a confirmation dialog in a popup window. Then the JavaScript code can detect if a popup has just been opened and detect the presence of an application based on that.”

Browser-Specific Exploits

While all well-known browsers generally have mechanisms in place to prevent exploitation of such a flaw, all of the ones affected have weaknesses that allow scheme flooding to work, Darutkin explained. He added that Chrome offers some protection against the vulnerability, and its developers seem to be the only ones who so far have acknowledged that it exists.

“Only the Chrome browser had any form of scheme-flood protection which presented a challenge to bypass,” Darutkin said. “It prevents launching any application unless requested by a user gesture, like a mouse click. There is a global flag that allows (or denies) websites to open applications, which is set to false after handling a custom URL scheme.”

Safari, on the other hand, was the easiest one to exploit, “despite privacy being a main development focus” of Apple’s browser developers, he noted.

“Safari doesn’t have scheme-flood protection, which allows the exploit to easily enumerate all installed applications,” Darutkin said.

The researcher said he submitted bug reports to the developers of Safari, Chrome and Firefox, as well as published a demo of the exploit and repositories of all source data in the hopes that fixes are imminent.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.

Suggested articles