Researchers have discovered that there’s a way to create unique user profiles and generate fingerprints that would enable websites to identify otherwise anonymous people, and it’s a very simple way, really. Called “scheme flooding,” the method uses information about what apps are installed on the user’s computer, a seemingly innocuous function that nobody thought to secure against the possibility for abuse. If a website checks for the existence of 32 apps, a 32-bit cross-browser identifier would be created.
The researchers have set up a demonstration site that checks for the installation of 24 popular apps like Zoom, Steam, NordVPN, Microsoft Word, Messenger, Spotify, ExpressVPN, Slack, etc. Based on which apps are installed on your system, the website could create a unique fingerprint that would be persistent as long as you’re using the same computer (and OS). Obviously, that would work even if you browse the web in incognito mode, fire up your VPN app, open a different web browser app, or even visit the Tor network.
From a technical perspective, the researchers are following the four steps described below to achieve the exploitation of the vulnerability:
For those of you interested in getting to know more about the flaw and its exploitation potential, the researchers have set up a GitHub repo and are sharing the source code of their demo there.
It is a mind-boggling possibility that, according to the researchers, has been available for abuse for at least five years. However, there seem to be no signs of exploitation out there. Maybe nobody has thought of it, or some may have, but it’s definitely not being abused on a large scale. The researchers have reported their findings to Safari, Chrome, and Firefox, so a fix on all three should be on its way soon.