‘Scheme Flooding’ Allows Websites to Track Users Across Browsers
Security researchers have discovered a new vulnerability that allows browsers to enumerate applications on a machine, threatening cross-browser anonymity in popular search engines such as Chrome, Firefox, Microsoft Edge, Safari, and Tor. The vulnerability is referred to as “scheme flooding,” and allows websites to identify users across different desktop browsers, linking them together to create a full picture of what users are searching across engines. The researcher responsible for uncovering the attack is Konstantin Darutkin, who is employed by FingerprintJS.
Darutkin published a blog post on Thursday detailing the flaw. The vulnerability utilizes custom URL schemes as an attack vector, able to assign someone a permanent unique identifier through utilizing information about installed apps that strings together an identity. The flaw is also able to identify users across engines when the individual is using incognito mode or a VPN service. Cross-browser anonymity is something that users typically take for granted, according to Darutkin. However, Darutkin’s discovery proves that privacy is always more complex than what meets the eye.