Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer.
In addition to updating Tor to 0.4.5.9, the browser’s Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several security vulnerabilities addressed in Firefox 89.
Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed scheme flooding, the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN.
Put differently, the weakness takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device’s user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor, effectively circumventing cross-browser anonymity protections on Windows, Linux, and macOS.
“A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together,” FingerprintJS researcher Konstantin Darutkin said.
Currently, the attack checks a list of 24 installed applications that consists of Adobe, Battle.net, Discord, Epic Games, ExpressVPN, Facebook Messenger, Figma, Hotspot Shield, iTunes, Microsoft Word, NordVPN, Notion, Postman, Sketch, Skype, Slack, Spotify, Steam, TeamViewer, Telegram, Visual Studio Code, WhatsApp, Xcode, and Zoom.
The issue has serious implications for privacy as it could be exploited by adversaries to unmask Tor users by correlating their browsing activities as they switch to a non-anonymizing browser, such as Google Chrome. To counter the attack, Tor now sets “network.protocol-handler.external” to false so as to block the browser from probing installed apps.