If you are using the Tor Browser, you should get the latest update immediately. Tor Browser 10.0.18 fixes a series of issues, one of which is a vulnerability that could allow sites to track users by fingerprinting their installed apps.
Scheme Flooding Vulnerability Fixed in Tor Browser 10.0.18
The vulnerability was disclosed last month by FingerprintJS. The firm defined the issue as a “scheme flooding,” enabling user tracking across various browsers by using the apps installed on users’ devices.
“In our research into anti-fraud techniques, we have discovered a vulnerability that allows websites to identify users reliably across different desktop browsers and link their identities together. The desktop versions of Tor Browser, Safari, Chrome, and Firefox are all affected,” said FingerprintJS’s Konstantin Darutkin in an article detailing the discovery.
The researchers decided to refer to the flaw as scheme flooding, as it utilizes custom URL schemes as an attack vector. The vulnerability also uses information about the installed apps on a user’s computer so that it assigns a permanent unique identifier in case the user switches browsers, uses incognito mode, or a VPN.
Even though the scheme flooding issue affects several browsers, it seems to be especially concerning for Tor users. The reason is simple – Tor users rely on the browser to protect their identity and IP address, while this vulnerability allows user tracking across different browsers. It could also enable various sites and entities to track the user’s real IP address when they switch to a “regular” browser such as Chrome or Firefox.
Fortunately, the vulnerability has been addressed in Tor Browser 10.0.18. It is curious to mention that the Tor project fixed the privacy bug by setting the ‘network.protocol-handler.external’ setting to false.
In February 2021, another privacy bug related to the built-in Tor mode was patched in the Brave browser. The bug was spotted by bug hunter known as xiaoyinl, and reported to Brave via its HackerOne bug bounty program. The Brave browser has been famous for its built-in Tor feature. However, the privacy mode which should allow anonymous browsing on the dark web started leaking the .onion domains to DNS servers configured for non-Tor websites. This could then allow the DNS operators or other threat actors to reveal the hidden services the user required.
Not the first time the Tor browser is found prone to user fingerprinting
In March 2016, independent security researcher Jose Carlos Norte also discovered that Tor users could be fingerprinted. User fingerprinting illustrates the ways of tracking various operations and details about the user’s online habits.
As pointed out by Norte, fingerprinting is specifically threatening to the Tor user since data stored while he surfs the Web (through Tor) can be later compared to data taken from the user’s regular browser. This is what the researcher said several years ago:
One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user. Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.