There’s a Simple Way Websites Can Identify Anonymous Users Across Different Browsers

• Researchers have found a simple yet very effective way to create persistent identifiers on internet users.
• They are abusing application URL schemes to determine which apps are installed on a computer, generating a fingerprint.
• No matter the browser, incognito mode status, VPN use, or even Tor use, the user remains identifiable.

Researchers have discovered that there’s a way to create unique user profiles and generate fingerprints that would enable websites to identify otherwise anonymous people, and it’s a very simple way, really. Called “scheme flooding,” the method uses information about what apps are installed on the user’s computer, a seemingly innocuous function that nobody thought to secure against the possibility for abuse. If a website checks for the existence of 32 apps, a 32-bit cross-browser identifier would be created.

The researchers have set up a demonstration site that checks for the installation of 24 popular apps like Zoom, Steam, NordVPN, Microsoft Word, Messenger, Spotify, ExpressVPN, Slack, etc. Based on which apps are installed on your system, the website could create a unique fingerprint that would be persistent as long as you’re using the same computer (and OS). Obviously, that would work even if you browse the web in incognito mode, fire up your VPN app, open a different web browser app, or even visit the Tor network.

From a technical perspective, the researchers are following the four steps described below to achieve the exploitation of the vulnerability:

1. Prepare a list of application URL schemes that you want to test. The list may depend on your goals - for example, if you want to check if some industry or interest-specific applications are installed.
2. Add a script on a website that will test each application from your list. The script will return an ordered array of boolean values. Each boolean value is true if the application is installed or false if it is not.
3. Use this array to generate a permanent cross-browser identifier.
4. Optionally, use machine learning algorithms to guess your website visitors’ occupation, interests, and age using installed application data.

For those of you interested in getting to know more about the flaw and its exploitation potential, the researchers have set up a GitHub repo and are sharing the source code of their demo there.

It is a mind-boggling possibility that, according to the researchers, has been available for abuse for at least five years. However, there seem to be no signs of exploitation out there. Maybe nobody has thought of it, or some may have, but it’s definitely not being abused on a large scale. The researchers have reported their findings to Safari, Chrome, and Firefox, so a fix on all three should be on its way soon.