Security News > 2021 > May > ‘Scheme Flooding’ Allows Websites to Track Users Across Browsers

A security researcher has discovered a vulnerability that allows websites to track users across a number of different desktop browsers - including Apple Safari, Google Chrome, Microsoft Edge, Mozilla Firefox and Tor - posing a threat to cross-browser anonymity.

Called "Scheme flooding," the flaw "Allows websites to identify users reliably across different desktop browsers and link their identities together," Konstantin Darutkin, a researcher and developer at FingerprintJS, said in a blog post published Thursday.

Someone may use the Tor browser because it's known for being "The ultimate in privacy protection;" however, it's not as fast or high-performing as other browsers, so someone may opt to use Safari, Firefox or Chrome for some sites, and Tor when engaging in anonymous browsing activities - but the bug blows that anonymity out of the water, Darutkin explained.

To achieve this verification, browsers can use built-in custom URL scheme handlers - also known as deep linking, which is widely used on mobile devices but also available on desktop browsers as well, Darutkin explained.

The feature is illustrated like this: If someone has Skype installed and types "Skype://" in a browser address bar, the browser will open and ask if the user wants to launch Skype, he said.

While all well-known browsers generally have mechanisms in place to prevent exploitation of such a flaw, all of the ones affected have weaknesses that allow scheme flooding to work, Darutkin explained.

News URL

https://threatpost.com/scheme-flooding-website-tracking/166185/