Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer.
In addition to updating Tor to 0.4.5.9, the browser's Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several security vulnerabilities addressed in Firefox 89.
Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed scheme flooding, the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN.
Put differently, the weakness takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device's user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor, effectively circumventing cross-browser anonymity protections on Windows, Linux, and macOS.
"A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together," FingerprintJS researcher Konstantin Darutkin said.
Currently, the attack checks a list of 24 installed applications that consists of Adobe, Battle.net, Discord, Epic Games, ExpressVPN, Facebook Messenger, Figma, Hotspot Shield, iTunes, Microsoft Word, NordVPN, Notion, Postman, Sketch, Skype, Slack, Spotify, Steam, TeamViewer, Telegram, Visual Studio Code, WhatsApp, Xcode, and Zoom.
The issue has serious implications for privacy as it could be exploited by adversaries to unmask Tor users by correlating their browsing activities as they switch to a non-anonymizing browser, such as Google Chrome. To counter the attack, Tor now sets "network.protocol-handler.external" to false so as to block the browser from probing installed apps.
Of the other three browsers, while Google Chrome features built-in safeguards against scheme flooding — it prevents launching any application unless it's triggered by a user gesture, like a mouse click — the browser's PDF Viewer was found to bypass this mitigation.
"Until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether," Darutkin said. Tor browser users are recommended to move quickly to apply the update to ensure they are protected.
The development arrives little over a week after encrypted messaging service Wire addressed two critical vulnerabilities in its iOS and web app that could lead to a denial-of-service (CVE-2021-32666) and permit an attacker to take control of a user account (CVE-2021-32683).