“Scheme flooding” allows tracking anonymous user browsing sessions

The flaw can leave users vulnerable to tracking and baffles common privacy protections like an incognito mode and the use of a VPN

The bug discovred the option to see users activities across various browsers. Even in incognito mode and while using the VPN.

According to researchers, the vulnerability called “Scheme flooding” threatens to access information about users' activities across browsers.^[1] Even anonymous sessions in Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, or Tor browser can get tracked.

Security provider FingerPrintJS said that the technique allows malicious people to see what sites are visited when applications are switched and when the VPN or incognito mode is used.^[2] Unfortunately, such activities can end badly too:

For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous.

The bug can provide the option of tracking the person while web browsers get switched, so all the responses get recorded and created into a list. It is possible to track users across apps, see the whole path of the activities online.

Custom URL schemes used as attack vector hence the “Scheme flooding” name

The vulnerability got revealed during particular anti-fraud research, and it was noticed that desktop versions of Tor, Safari, Chrome, and Firefox are affected by the bug. The flaw uses information about installed apps on the machine. It assigns the permanent identifier to the user even when the browser is changed, or a VPN,^[3] incognito mode gets used during the session. Third parties can track activities across platforms, which is a violation of privacy.

The exploitation of this bug comes in stages:

• preparation of the URL schemes;
• adding of the script on the particular website;
• generating the permanent and unique cross-browser identifier;
• using the algorithms that can use installed app data and guess the occupation, interests, and age of the user.

This issue also affects cross-browser anonymity that can be specific criteria for people when choosing web browsers from all the options.^[4] The Particular Tor browser offers privacy protection so that people might rely on this tool for a specific reason. The website that relies on this scheme flooring flaw can create a stable identifier and link those activities together across other browsers when you use anonymous options and rely on a quicker, less secure browser app. You can get tracked across the web regardless of the web browser you use.

The discovery comes days after news about a new privacy feature in Chrome

The bug profiles the user based on the applications already installed on the computer, so scheme flooding also allows target users with advertisements without their consent. Your habits, occupation, age can be revealed and used by the malicious actor or even criminal.^[5]

One of the affected browsers is Google Chrome. Researchers state that developers are aware of the flaw already. There are plans to fix the bug already. A few days before the reveal of this vulnerability, Google added prevention measures that should help avoid user tracking by isolating embedded content from the website interaction.^[6] Browser developers can restrict third-party cookies and prevent tracking, advertising based on interests, and recorded info.

The researcher that analyzed the Scheme flooding bug, Konstantin Darutkin, stated about Chrome:

Only the Chrome browser had any form of scheme flood protection which presented a challenge to bypass. It prevents launching any application unless requested by a user gesture, like a mouse click.

However, it is possible to use Chrome browser extensions and bypass the scheme flood protection. There is a loophole since this flaw conflicts with particular extension policies. Extensions need to have the ability to open custom URLs. For example, if the PDF viewer extension opens the file, the scheme food protection gets disabled, and the exploit possibly functional.

The usage of this bug, generally, varies from browser to browser, but the outcome is the same. The unique identification exploit can be used in practice with malicious sites, even via the Tor browser. Since there are no particular fixes for the vulnerability, private browsing sessions on the personal device are not possible. You can use a different computer and hope the flaw gets fixed soon on all the browsers.