Tor Browser Patches Application Probing Vulnerability
A new version of the open-source Tor Browser was released this week with patches for multiple vulnerabilities, including one that could allow malicious websites to track users across browsers by identifying applications running on their devices.
The bug, a protocol flooding attack also referred to as scheme flood, relies on custom protocol handlers for browsers to probe desktop computers for installed applications, profile users, and track them across browsers such as Chrome, Firefox, Safari, and Tor.
Scheme flood uses as attack vector custom URL schemes (also referred to as deep linking, the feature allows applications to register their own schemes for other applications to open them) and allows for an attacker to discover applications that a user has installed. The attack usually takes seconds and works cross-platform, on Windows, Mac, and Linux.
“Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes. For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous,” according to an advisory from FingerpringJS.
[ Related: Google Releases PoC for Browser-Based Spectre Attack ]
Now rolling out to users as Version 10.0.18, the latest Tor Browser release prevents this attack.
The new browser release updates Tor to Version 0.4.5.9 on all platforms and includes all of the security fixes and enhancements in this iteration, including several major security fixes.
One of the most important changes in the browser is the deprecation of version 2 onion services. Only announced for the time being, the deprecation will take place later this year and will require for all onion service operators to migrate to version 3.
Initially announced in July 2020, the switch is expected to be completed on July 15, 2021, when support for v2 onion services will be completely removed from the codebase.