Security News > 2021 > June > Tor Browser Patches Application Probing Vulnerability
A new version of the open-source Tor Browser was released this week with patches for multiple vulnerabilities, including one that could allow malicious websites to track users across browsers by identifying applications running on their devices.
The bug, a protocol flooding attack also referred to as scheme flood, relies on custom protocol handlers for browsers to probe desktop computers for installed applications, profile users, and track them across browsers such as Chrome, Firefox, Safari, and Tor.
Scheme flood uses as attack vector custom URL schemes and allows for an attacker to discover applications that a user has installed.
"Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes. For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous," according to an advisory from FingerpringJS. Now rolling out to users as Version 10.0.18, the latest Tor Browser release prevents this attack.
The new browser release updates Tor to Version 0.4.5.9 on all platforms and includes all of the security fixes and enhancements in this iteration, including several major security fixes.
One of the most important changes in the browser is the deprecation of version 2 onion services.