Internet users who feel confident while using multiple web browsers to protect themselves from tracking have a strong reason to be concerned. Researchers have discovered the increasingly popular Custom URL Handlers can allow websites and online services to track users across multiple browser platforms.
Researchers claim to have developed a way to track a user across different browsers. Internet users may use multiple web browsers on the same machine. However, just by querying the installed applications on the device, they can be tracked.
What are Custom URL Handlers?
Several popular websites, applications and online services are deploying custom URL schemes. Web browsers can recognize these custom URLs and launch the web-based service in a locally-installed application.
The most common example is of Zoom, the insanely popular virtual meeting and videoconferencing platform. Internet users will realize they have often clicked on a URL that began with zoommtg://.
— TechHelpKB.com (@techhelpkb) May 14, 2021
Whenever an internet user clicks on any URL that begins with zoommtg://, the computer or even smartphone asks or prompts the user to launch the locally-installed Zoom client.
Similarly, there are over a hundred different custom URL handlers that applications and online services have configured. Some of the notable platforms are Slack, Skype, Windows 10, Steam, etc.
Good thing I exclusively use internet explorer then… 😜 https://t.co/KXCx4CmOqb
— MonoPixel (@mon0pixel) May 14, 2021
The newly-discovered scheme flooding vulnerability currently checks for twenty-four applications. These include Skype, Spotify, Zoom, vscode, Epic Games, Telegram, Discord, Slack, Steam, Battle.net, Xcode, NordVPN, Sketch, Teamviewer, Microsoft Word, WhatsApp, Postman, Adobe, Messenger, Figma, Hotspot Shield, ExpressVPN, Notion, and iTunes.
What is ‘scheme flooding’ which can help websites track users across multiple web browsers?
A researcher from FingerprintJS, has disclosed a vulnerability that allows a website to track a device’s user using these Custom URL Handlers. Concerningly, the vulnerability allows tracking between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor.
A new vulnerability report from FingerprintJS’ Konstantin Darutkin, mentions: “Cross-browser anonymity is something that even a privacy-conscious internet user may take for granted. Tor Browser is known to offer the ultimate in privacy protection. However, it generally has slow connection speed and performance issues on some websites. Hence, users may rely on less anonymous browsers for their everyday surfing.”
All major desktop browsers vulnerable to tracking flaw that can bypass privacy tools say researchers
Browsers can generate a cross-browser device identifier by testing a list of 32 applications and checking if they are installed on a user’s device.https://t.co/L69QOfv2Oi
— Security Alert Online (@Security__Alert) May 14, 2021
“They may use Safari, Firefox, or Chrome for some sites, and Tor for sites where they want to stay anonymous. A website exploiting the vulnerability could create a stable and unique identifier that can link those browsing identities together”.
To successfully track users using the new method, a website builds a profile of applications installed on a device. The method is quite simple.
Major Browsers Vulnerable to Cross-Browser Tracking Exploit https://t.co/cqYC9enNDu
— Jeff Butts (@clefmeister) May 14, 2021
Rogue websites attack the targeted victim with known URL handlers. The intention is to check if the browser launches a prompt. If a prompt triggers, it means users have installed the specific app.
By pinging for different URL handlers and checking for app launch prompts, a script can use the detected applications to build a unique profile for the target’s device.
Needless to mention, no matter the browser used, the installed applications remain the same. Using this logic, a script can track a user’s browser usage on both Google Chrome and an anonymizing browser such as Tor.