Researchers from FingerPrint said a vulnerability named Scheme flooding is aiming to access information about users’ browsing activities. The targeted browsers are Google Chrome, Mozilla Firefox, Microsoft, Safari and even the anonymous session provider Tor web browser.
The security providers stated that technique allows malicious actors see the sites that the users are visiting when they switch applications and when the VPN or incognito mode is used.
Such activities can end badly. For example, “a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous”.
The vulnerability allows tracking the people when they switch the web browsers, thereby all their responses can be recorded and even a new one can be created in the list. Tracking across the apps and see the whole path of the activities online can even be possible.
During an anti-fraud research, it was noticed that Tor’s desktop version, Safari, Chrome and Firefox were affected with this bug. This flaw uses the information about installed apps on the system. It assigns a permanent identity to the user even when they change the browser, use VPN or incognito mode during the session.
Exploiting this bug comes in stages that include preparation of URL schemes, addition lf script of the particular website, creation of permanent and unique cross-browser identifier and usage of algorithms that can use installed apps data and guess the occupation, interest and age of the user.
The bug profiles the user based on applications installed on system. Therefore, the scheme flooding can target the users with ads without permission. Your habits, occupation and age can be used by malicious actors and even criminals.
Researchers state they were aware of the flaw and are planning to fix the bug. A few day before the vulnerability was revealed, Google added prevention measures for the users to avoid user tracking by isolating embedded content form the website interaction.
Konstantin Darutkin, the researcher who analyzed the Scheme flooding stated about Chrome:
Only the Chrome browser had any form of scheme flood protection which presented a challenge to bypass. It prevents launching any application unless requested by a user gesture, like a mouse click.
However, it is possible to use Chrome extensions and bypass the scheme flood protection as a loophole in the flaw conflicts with the particular extension policies.
The usage of this bug generally varies from browser to browser. However, the outcome is t he same. The unique identification exploit is commonly practiced. You can use some different computer and hope for the flaw to get fixed soon.
