Security News > 2021 > May > Vulnerability in popular browsers could be used to track, profile users online

A vulnerability affecting desktop versions of four popular web browsers could be exploited by advertisers, malicious actors, and other third parties to track and profile users online even if they switch browsers, use incognito mode or a VPN, researcher and developer Konstantin Darutkin claims.

Darutkin and his colleagues from FingerprintJS are calling the vulnerability and its exploitation "Scheme flooding," as attackers can use browsers' built-in custom URL scheme handlers to check if site visitors have 32 different applications installed on their desktops.

The information gathered from these requests can be used to create a permanent unique identifier that can link browsing identities together.

"A combination of CORS policies and browser window features can be used to bypass ," Darutkin said.

"Of the four major browsers impacted, only Chrome developers appear to be aware of the scheme flooding vulnerability. The issue has been discussed on the Chromium bug-tracker and is planned to be fixed soon. Additionally, only the Chrome browser had any form of scheme flood protection which presented a challenge to bypass."

Still, the researchers' write-up could push some to use the scheme to track users online.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/IhOj67RQinE/