All major desktop browsers vulnerable to tracking vulnerabilities that can bypass privacy tools – Research
Chrome, Firefox, Safari, and the Tor browser are all affected by “ schema flood ” attacks
A vulnerability that can allow websites to identify and track users, bypassing privacy protections, is present in several major browsers, the researchers warned.
The flaw can allow a site to assign users a permanent unique identifier and use it to track their behavior on different browsers – even if they are using a VPN, private browsing session or other tools and techniques. Protection of private life.
Dubbed “ system flooding, ” the problem has been present in browsers for at least five years – and despite there being no evidence that it is being actively exploited on a large scale, researchers are warning that the problem is nonetheless a “violation of privacy”.
The vulnerability was identified by FingerprintJS security researchers, who found they were able to run schema flood exploits in Chrome, Safari, Firefox, and Tor Browser.
Check it
Browsers can generate a 32-bit cross-browser device ID by testing a list of 32 applications and seeing if they are installed on a user’s device.
According to the researchers, on average, the fingerprinting process takes seconds and works on desktop Windows, macOS, and Linux operating systems.
Custom URL scheme management is used to check whether the app in question has been installed – it is used to allow a browser to open the app through a pop-up configuration box.
Learn about the latest browser security news
Explaining the steps required to exploit the vulnerability, the researchers wrote:
Bypass of protections
Today’s web browsers have built-in security mechanisms designed to protect user privacy. However, these mechanisms can be bypassed with system flooding.
Safari, Firefox and Tor Browser, which is built on the basis of Firefox code, are vulnerable due to exploitation of same-origin policy implementation.
The blog post reads: âWhenever you navigate to an unknown URL scheme, Firefox will show you an internal page with an error. This internal page has a different origin than any other website, so it cannot be accessed due to the limitation of same-origin policy.
“On the other hand, a known custom URL scheme will be opened as, the origin of which will be accessible from the current website.”
DON’T FORGET TO READ What is FLoC? Everything you need to know about Google’s new advertising technology to replace third-party cookies
The researchers added: “By opening a pop-up window with a custom URL scheme and checking if its document is available from the JavaScript code, you can detect if the app is installed on the device.”
Chrome was the only browser that already had some system flood protection, but even that can be worked around. FingerprintJS researchers noted that the issue was reported by the Chrome bug tracking and will be fixed soon.
Interestingly, while the Tor browser – which was designed to provide enhanced anonymity for privacy-conscious users – is vulnerable, researchers took significantly longer to exploit it.
Mitigations
To protect against the vulnerability, the researchers noted that “until this vulnerability is patched, the only way to have private browsing sessions not associated with your primary device is to use another device.”
The daily sip contacted the developers of Chrome, Firefox, Safari and Tor Browser for more information on the availability of a fix.
YOU MAY ALSO LIKE Google and Mozilla unveil plans to integrate HTML disinfection into their browsers