Security researchers have newly discovered a critical vulnerability dubbed as scheme flooding that can facilitate bypassing privacy layers that are persistent in all major browsers like Tor, Chrome, Safari, and Firefox.
This vulnerability has been found to be allowing a website the ability to track users by assigning them a permanent unique identifier and use this to trace the user’s usage across multiple browsers.
The scheme flooding bug can also track users even if VPN, private browsing session, or other privacy-preserving tools have been implemented
It has been revealed that the security hole has been present in these browsers for at least five years.
However, there has been no evidence that it is being exploited in the wild.
The scheme flooding security flaw was detected by security researchers at FingerprintJS who were able to initiate these bug-exploit attacks in Tor, Chrome, Safari, and Firefox browsers.
Malicious attack vector of scheme flooding:
When FingerprintJS discovered the vulnerability, they provided that it uses custom URL schemes as an attack vector. It can collect information about the apps you have installed on your desktop to give you a permanent, unique identifier that can track you across browsers even if you use a VPN or incognito mode.
Additionally, the scheme flood vulnerability allows for targeted advertisement and user profiling without user consent. The list of installed applications on your device can reveal a lot about your occupation, habits, and age. For example, if a Python IDE or a PostgreSQL server is installed on your computer, you are very likely to be a backend developer.
Evading advanced security layers:
Most web browsers often boast having enhanced privacy and security lawyers architecture to protect user privacy.
Scheme flooding was found bypassing most of these layers.
It was provided in the blog post that: “Every time you navigate to an unknown URL scheme, Firefox will show you an internal page with an error. This internal page has a different origin than any other website, so it is impossible to access it because of the same-origin policy limitation”.
“On the other hand, a known custom URL scheme will be opened as about: blank, whose origin will be accessible from the current website.”
It was noted that only Chrome had certain security layers placed against scheme flooding but those too, could be evaded.
Reportedly, the vulnerability has been flagged by the Chromium bug tracker and is to be patched soon.
Though while exploiting Tor, the researchers had to exert more time and effort.
No patches deployed yet:
It has been reported that none of the browsers have addressed the critical security flaw.
As for mitigating the security hazards posed by this critical scheme flooding, security analysts are of the opinion that unless the vulnerability is patched, users have been recommended to conduct private browsing sessions unassociated with primary devices.