Security News

A vulnerability affecting desktop versions of four popular web browsers could be exploited by advertisers, malicious actors, and other third parties to track and profile users online even if they switch browsers, use incognito mode or a VPN, researcher and developer Konstantin Darutkin claims. Darutkin and his colleagues from FingerprintJS are calling the vulnerability and its exploitation "Scheme flooding," as attackers can use browsers' built-in custom URL scheme handlers to check if site visitors have 32 different applications installed on their desktops.

A security researcher has discovered a vulnerability that allows websites to track users across a number of different desktop browsers - including Apple Safari, Google Chrome, Microsoft Edge, Mozilla Firefox and Tor - posing a threat to cross-browser anonymity. Called "Scheme flooding," the flaw "Allows websites to identify users reliably across different desktop browsers and link their identities together," Konstantin Darutkin, a researcher and developer at FingerprintJS, said in a blog post published Thursday.

Researchers have developed a way to track a user across different browsers on the same machine by querying the installed applications on the device. "Cross-browser anonymity is something that even a privacy conscious internet user may take for granted. Tor Browser is known to offer the ultimate in privacy protection, though due to its slow connection speed and performance issues on some websites, users may rely on less anonymous browsers for their every day surfing," explains a new vulnerability report by FingerprintJS' Konstantin Darutkin.

LogDNA launched a new browser logging capability, which makes it easier for full-stack and frontend developers to ingest frontend log data in LogDNA to more efficiently debug web applications. LogDNA's new Browser Logger addresses this need by automatically capturing errors and logs occurring in the user's browser and allowing dev teams to centralize those errors alongside server-side logs.

Appgate announced the launch of the latest release of its Software Defined Perimeter solution that enables clientless, browser-based access to protected resources. With this latest release, Appgate SDP enhances and streamlines administration and removes end-user friction, which reduces the Help Desk workload. "A core tenet of zero trust is to secure access for all users to all resources. At Appgate, we remain dedicated to advancing zero trust network access with a focus on making it as simple as possible to apply this modern security framework across a variety of operating environments and scenarios," said Kurt Glazemakers, CTO for Appgate.

Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. The update comes after proof-of-concept code exploiting the flaw published by a researcher named "Frust" emerged on April 14 by taking advantage of the fact that the issue was addressed in the V8 source code, but the patch was not integrated into the Chromium codebase and all the browsers that rely on it, such as Chrome, Microsoft Edge, Brave, Vivaldi, and Opera.

The Mozilla Foundation fixed a flaw in its Firefox browser that allowed spoofing of the HTTPS secure communications icon, displayed as a padlock in the browser address window. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications.

This month, Mozilla has announced plans to phase out support for the Firefox web browser app on the Amazon Fire TV product line. Although Firefox will be no longer supported on Fire TV effective at the end of this month, Amazon Silk web browser app remains available to Fire TV users.

Boffins from Vrije Universiteit in Amsterdam and ETH in Zurich have bypassed memory chip defenses to execute a successful browser-based Rowhammer side-channel attack dubbed SMASH. Rowhammer refers to a technique that computer security researchers began to explore around 2014: "Hammering" RAM chips with a series of rapid write operations. Initially, Rowhammer attacks had to be conducted locally, though by 2016 [PDF], the technique had been refined to work remotely using JavaScript in, say, a web browser.

Google's FLoC mechanism for ad personalisation, currently being trialled in the Chrome browser, has been rejected as privacy-invasive tracking by other browser makers including Vivaldi and Brave. FLoC is part of what Google calls the Privacy Sandbox initiative, a proposal to "Support business models that fund the open web in the absence of tracking mechanisms like third-party cookies," according to now-retired Chrome engineering director Justin Schuh and product manager Marshall Vale in January.