'Scheme flooding' bug threatens to sink user privacy

A newly disclosed security flaw could potentially leave users vulnerable to tracking across multiple browsers and sessions.

In a blog post, the team at security provider FingerPrintJS explained how, by using a technique dubbed "scheme flooding," bad actors can see what sites users visit even when they switch between different browsers and enable incognito mode or use a VPN.

The researchers said they filed bug reports with each of the major browser developers prior to disclosing the flaw.

In short, the bug allows sites to ping multiple third-party applications (such as Skype or Zoom) and then use the responses to create a detailed list of the apps on a system. The list can then be maintained and used to fingerprint users across multiple browsers and internet connections.

"Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes," explained researcher Konstantin Darutkin. "For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous."

According to the FingerPrintJS researchers, the scheme flood issue is due to the way a website can use API calls to bring up an outside application. Each time a page needs to access an application, it sends a custom URL request that instructs the PC to attempt to load the application and return a response, whether that application is installed or not.

By firing multiple calls for different applications, the site operator could compile a list of, say, 32 different applications installed on a visitor's PC. A bit could be assigned to each app depending on whether it is installed, and the result would be a 32-bit identifier that would be assigned to that visitor.

The bit would then be checked and cross-referenced, allowing the same application profile to show up even when that visitor switched to a different browser, logged in from a different location via VPN, or hid his traffic via incognito mode.

In other words, installed apps create a semi-unique fingerprint that can thwart all attempts to hide from tracking. While not foolproof by any means (two different users could have the same application profile, particularly if they share a machine or use company-issued PCs with a standard loadout) it does provide a fairly accurate way of tracking specific users or at least narrowing down potential targets for more focused attacks.

The list of installed applications on your device can reveal a lot about your occupation, habits and age.

"The list of installed applications on your device can reveal a lot about your occupation, habits and age," Darutkin said. "For example, if a Python IDE or a PostgreSQL server is installed on your computer, you are very likely to be a back-end developer."

Just how vulnerable a user would be to profiling would depend on a number of factors, most notably the browser in use. Because each of the major browsers use slightly different methods for handling application requests, the scheme profiling trick would have different rates of success and usefulness.

In Tor, for example, a 10-second average look-up time means the process of trying to ping dozens of different applications would span multiple minutes, and thus would probably not be particularly reliable for an attacker.

On the other hand, Apple's Safari browser was said to be the most susceptible to scheme flooding, as it lacks some of the basic protections that would make it more difficult for the attacker to enumerate outside applications.

"The exact steps to make the scheme flooding vulnerability possible may vary by browser, but the end result is the same. Getting a unique array of bits associated with a visitor's identity is not only possible, but can be used on malicious websites in practice," Darutkin wrote. "Even Tor Browser can be effectively exploited by tricking a user into typing one character per application we want to test."

There is hope for a fix: Darutkin wrote that Google's Chrome team, in particular, has been very receptive to the report and is already working on a fix for the issue. In the meantime, the FingerPrintJS researchers said that the only way to completely guard against potential scheme flooding is to use a completely different device for browsing sessions.