A cross-browser tracking bug has surfaced online targeting browsers. This vulnerability allows apps to identify users on a device even when using different browsers. Currently, no fix is available for this flaw.
Cross-Browser Tracking Bug
Researchers from FingerprintJS have detected a scheme flooding vulnerability allowing cross-browser tracking. As explained in their blog post, this vulnerability currently affects all major browsers, including Tor.
The bug allows an app to track users across separate browsers, including Tor. That happens because an app may simply track the user’s device by looking for the list of apps installed on it. This type of tracking not only allows tracking but also enables user profiling. As stated in the post,
The scheme flooding vulnerability allows an attacker to determine which applications you have installed. In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not.
To demonstrate the flaw, the researchers have come up with a demo app “SchemeFlood” (source code is available on GitHub). This demo app checks a device via a browser for the presence of any of the 24 apps in its database. This lets the app generate a unique device identifier that will remain the same when tracked via any browser.
At present, the bug works on Windows, ac, and Linux systems alike.
No Patch Available Yet
The vulnerability has existed for at least 5 years. However, the researchers could not identify any instances of active exploitation of the flaw.
Nonetheless, given the severity of the bug and the subsequent privacy threat to users, the researchers emphasize the need for a fix as they publicly disclosed the bug.
At present, this vulnerability affects browsers, including the popular ones, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari, and even the privacy-focused Tor.
Among all of these, only Google Chrome exhibited a little resilience to the exploit as Google developers already know of the bug and are working on it. Whereas, Safari browser turned out to be the easiest to exploit.
In the case of Tor, the researchers found it to be the least exploitable. Its underlying policies limit how an app may check the device for tracking. While the browser has a 10 seconds limitation for that, leaving a web page open in Tor for some time, such as 4 minutes, may give enough time to the app to exploit the flaw and track the users’ identity.
Thus, until a fix is available, users have only one mitigation to avoid tracking via this flaw. That is, to use entirely separate devices (instead of separate browsers).