Using multiple browsers will not ensure anonymity: Researchers develop cross-browser tracking mechanism that relies on ‘Custom URL Handlers’

Cross Browser Tracking Custom URL Handles
Using multiple web browsers cannot prevent tracking. Pic credit: TheAndrasBarta/Pixabay

Internet users who feel confident while using multiple web browsers to protect themselves from tracking have a strong reason to be concerned. Researchers have discovered the increasingly popular Custom URL Handlers can allow websites and online services to track users across multiple browser platforms.

Researchers claim to have developed a way to track a user across different browsers. Internet users may use multiple web browsers on the same machine. However, just by querying the installed applications on the device, they can be tracked.

What are Custom URL Handlers?

Several popular websites, applications and online services are deploying custom URL schemes. Web browsers can recognize these custom URLs and launch the web-based service in a locally-installed application.

The most common example is of Zoom, the insanely popular virtual meeting and videoconferencing platform. Internet users will realize they have often clicked on a URL that began with zoommtg://.

Whenever an internet user clicks on any URL that begins with zoommtg://, the computer or even smartphone asks or prompts the user to launch the locally-installed Zoom client.

Similarly, there are over a hundred different custom URL handlers that applications and online services have configured. Some of the notable platforms are Slack, Skype, Windows 10, Steam, etc.

The newly-discovered scheme flooding vulnerability currently checks for twenty-four applications. These include Skype, Spotify, Zoom, vscode, Epic Games, Telegram, Discord, Slack, Steam,, Xcode, NordVPN, Sketch, Teamviewer, Microsoft Word, WhatsApp, Postman, Adobe, Messenger, Figma, Hotspot Shield, ExpressVPN, Notion, and iTunes.

What is ‘scheme flooding’ which can help websites track users across multiple web browsers?

A researcher from FingerprintJS, has disclosed a vulnerability that allows a website to track a device’s user using these Custom URL Handlers. Concerningly, the vulnerability allows tracking between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor.

A new vulnerability report from FingerprintJS’ Konstantin Darutkin, mentions: “Cross-browser anonymity is something that even a privacy-conscious internet user may take for granted. Tor Browser is known to offer the ultimate in privacy protection. However, it generally has slow connection speed and performance issues on some websites. Hence, users may rely on less anonymous browsers for their everyday surfing.”

“They may use Safari, Firefox, or Chrome for some sites, and Tor for sites where they want to stay anonymous. A website exploiting the vulnerability could create a stable and unique identifier that can link those browsing identities together”.

To successfully track users using the new method, a website builds a profile of applications installed on a device. The method is quite simple.

Rogue websites attack the targeted victim with known URL handlers. The intention is to check if the browser launches a prompt. If a prompt triggers, it means users have installed the specific app.

By pinging for different URL handlers and checking for app launch prompts, a script can use the detected applications to build a unique profile for the target’s device.

Needless to mention, no matter the browser used, the installed applications remain the same. Using this logic, a script can track a user’s browser usage on both Google Chrome and an anonymizing browser such as Tor.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x