After releasing Tor Browser 10.0 (opens in new tab) last year, the Tor Project has released a new incremental update for its browser that contains fixes for a number of bugs including one that could allow websites to track users (opens in new tab) based on the apps installed on their devices.
As reported by BleepingComputer, back in May, the fingerprinting firm FingerprintJS released details on a 'scheme flooding' vulnerability that could be exploited to track users across several different browsers (opens in new tab) based solely on the applications they've installed.
In order to track users, a tracking profile is created for each user by trying to open several application URL handlers and checking if the browser then launches a prompt. For those unfamiliar, these application URL handlers are often used by video conferencing software (opens in new tab) such as Zoom (opens in new tab) to launch a meeting after a link is clicked on in a user's browser.
- We've built a list of the best browsers (opens in new tab) available
- These are best proxy (opens in new tab) services on the market
- Also check out our roundup of the best anonymous browsers (opens in new tab)
If an application displays a prompt, then it's safe to assume that the software is installed on a user's device. The scheme flooding vulnerability disclosed by FingerprintJS checks these URL handlers in order to create an ID for each user based on the unique configuration of apps installed on their devices.
Preventing unwanted tracking in Tor
The ID created based on a user's installed apps can even be tracked across several different browsers including Google Chrome, Microsoft Edge, Tor Browser, Firefox and Safari.
However, this vulnerability is especially concerning for Tor users (opens in new tab) since one of the main draws of the anonymous browser (opens in new tab) is being able to protect one's identity and IP address from being logged by the sites they visit. Since this vulnerability can track users across browsers, it could be used by websites and potentially even law enforcement to track a user's real IP address when they switch to Chrome or any other browser after using Tor.
Thankfully though, the Tor Project has patched this vulnerability with the release of Tor Browser 10.0.18 which fixes the issue by setting the browser's 'network.protocol-handler.external' setting to false. Once updated, the browser won't be able to pass the handling of URLs to external applications and no more application prompts will appear that can be used to track users.
Tor Browser users can protect themselves from this vulnerability by opening the browser's menu, going to Help and selecting About Tor Browser to automatically check for and install any new updates. However, the new update can also be downloaded manually from the Tor Browser download page (opens in new tab) or the Tor Project's distribution directory (opens in new tab).
- We've also featured the best VPN (opens in new tab)
Via BleepingComputer (opens in new tab)