Use the array for generating permanent cross browser identifier. Any installed applications can register its own scheme that will allow other apps to open it.Įxploiting the vulnerability is a 4 steps procedure which includes preparation of a list of app URL scheme to test followed by adding a script to test the apps. This feature is illustrated such as if the user has Skype available on the device, and if the user searches it on browser through the address bar, the browser will open itself and will ask the user if they want to continue on the app. To get this verification done, browsers use a built-in custom URL scheme handler commonly called deep linking. This identification process only takes a few seconds to show results and works across Mac, Linux OS and Windows devices. The vulnerability can allow the attacker to determine the applications installed by someone through the 32 bit cross browser device identifier used by a website to test the list of 32 most popular applications. He added that a website exploring the scheme flooding vulnerability can create a unique and stable identifier that can link the browsing behavior together.ĭarutkin further explained that people prefer Tor browser because of its known ultimate privacy protection, however it is not as fast or high performing as compared to other browsers so the user should opt to use Firefox, Safari or Chrome for some sites and should use Tor while getting engaged in some anonymous browsing but the flaw can blow the confidentiality out. This won’t stop even if the user switches browser or uses a private mode or access internet through VPN.Ĭross browser anonymity is something taken for granted by a lot if privacy-savvy users, claims Konstantin Darutkin of Fingerprintjs, in his blog post. It can assign a user their own permanent unique identifier using information related to the installed applications on computer. These browsers, Apple Safari, Google Chrome, Mozilla Firefox and Tor, possess a threat to cross browsing confidentiality.Ĭustom URL schemes are used by the vulnerability as an attack vector.
According to a discovery made by a web security researcher, a vulnerability can allow websites to track their users across different desktop browsers.
0 kommentar(er)
