'Scheme Flooding' Technique May Be Used To Deanonymize You

sandbagger shares a report from The Register: FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. Konstantin Darutkin, senior software engineer at FingerprintJS, said in a blog post that the company has dubbed the privacy vulnerability "scheme flooding." The name refers to abusing custom URL schemes, which make web links like "skype://" or "slack://" prompt the browser to open the associated application. "The scheme flooding vulnerability allows an attacker to determine which applications you have installed," explains Darutkin. "In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not."

Visiting the schemeflood.com site using a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using a pre-populated list of likely apps. A browser user would typically see a pop-up permission modal window that says something like, "Open Slack.app? A website wants to open this application. [canel] [Open Slack.app]." But in this case, the demo script just cancels if the app is present or reads the error as confirmation of the app's absence. It then displays the icon of the requested app if found, and moves on to its next query. The script uses each app result as a bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, which violates privacy expectations.

Visiting the schemeflood.com

[PPH]

... just results in a blank page. I guess I'm safe.

Re:

[Mononymous]

TFS says there's a demo to click on. I see a blank lavender page. I don't use a lot of privacy stuff, but I do deny cookies by default--is that all it takes to stop this crap?

Re:

[Canberra1]

System Programmer here. It is called enumeration. You can enumerate Microsoft Handles, services, running tasks, IP ports and Fonts. Fonts give a lot away. And if you see the right things running, you can get them to run more enumeration services/calls. MAC address BSSID, CPU ID, HDD ID, Battery ID. And you can read logs. Lots of logs, all usually read only. Know the graphics cards direct DMA call?. Bingo, memory dump. And you can pop scripts on a timer, to run in the future, great to get around AV products

Re:

[PPH]

And you can read logs.

Once upon a time, before systemd, this was true.

Not Without Javascript

[BeerFartMoron]

$ curl https://schemeflood.com/ [schemeflood.com]

[...snip...]

If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make this app work.

[...snip...]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

I have Javascript enabled but it still didn't work. I guess one of the add-ons blocked it. A quick search reveals that uBlock Origin should kill it with standard block lists.

Re:

[ehrichweiss]

I used Firefox on Linux and it told me that I have Skype installed but I can definitely state for certain that I don't have Skype installed, and never will. Tor browser told it I had two other apps that Firefox also had but how it picked up Skype is beyond me. I may try this on my Win10 partition just to see what it reports and then see if I can make Linux report the same.

Seems to work

[Dan East]

This technique seems to work fine. It correctly detected 7 out of the 24 applications in their database that I have installed, which they claim is unique amongst the 17,486 tests it has run up to this point.

Re:

[cdsparrow]

Firefox showed popups while it was fingerprinting for me, but weirdly chrome did not visibly anyway. Said my list of 5 apps was 99.21% unique across the 17k tested so far.

Re:Seems to work

[RhettLivingston]

Mine was allegedly unique also, and that doesn't surprise me. However, my suspicion is that this just deanonymizes nerds. I know that my wife's and mother's PCs would be the same. Both have only Chrome, MS Office, and whatever programs come with Windows. I'd think a very large number of PC users would be like that.

Re:

[Xenna]

It's about different browsers on the same desktop, not different desktops. I just tried Firefox, Chrome and Brave and it detected perfectly that they were launched from the same Windows desktop.

Switching to a different Windows account on the same machine resulted in a different identifier.

Re:

[Nrrqshrr]

Those same nerds are also the only ones who would use adblock and would actively try to block tracking, anyway.

Re:

[_merlin]

Really? It completely failed for me with Firefox: it thinks I have all of the applications installed, when in reality I only have Skype, Steam, TeamViewer, and Adobe. If it actually worked, I don't know how unique that combination of four applications would be.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Seems highly unlikely to be useful

[AmiMoJo]

The number doesn't need to be unique, it just needs to provide some more bits to combine with other identifiers like IP address, browser headers and the like. That gives them some tracking ability, and as soon as a victim logs into a site they can tie it up with things like email address and other PI.

It's similar to why FLoC has been rejected. Whatever they did to try to prevent tracking, in the end it just added extra data points that can be combined with others to identify a user.

Running...

[grep -v '.*' *]

We have generated your identifier based on 2 applications you have installed.
This is your identifier. It was seen 10 times among 17517 tests so far.
That means it is 99.94% unique.

Hmph, I'd have thought my (only) 2 apps would have been a much common occurrence. So I'm not unique, but I'm a lot more visible than I thought I'd be.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[barra.ponto]

This is your identifier. It was seen 1488 times among 17723 tests so far.
That means it is 91.60% unique.
We have generated your identifier based on 0 applications you have installed.
What can I say? Don't have any of their 24 programs installed.

Does not work in Firefox

[ugen]

Evidently, Firefox reports all apps as installed, so I "have" all 24. (Adblock and Ghostery are enabled, though - but this should not be something they protect against)
Safari, of course, fails miserably - but then again, I am not using it, nor expect any safety.

Re:

[SteelCamel]

Yes, same here. It thinks I have 23 out of the 24 installed - actually none of them are. It's also hardly stealthy - popping up a window that reloads repeatedly, even if they try to hide it in the corner.

Inconsistent results in Firefox private mode

[wabb1t]

Opened it 3 times in Firefox private mode, got 3 different results, all apparently "unique".

Chrome private browsing seems consistent, but much slower.

Re:

[piojo]

I just tried in Firefox with and without Ghostery installed. Without Ghostery, the result was perfectly accurate. With Ghostery, the site detected almost every app as installed, but when I ran it again, a different set of applications were detected. Both times, the true installed applications were detected. It's fuzzing the requests for apps I don't have. So the true result can be detected with increasing confidence if enough tests are done.

It seems like it would preserve privacy better for the browser/exte

Detection had at least one side effect on Mac

[SuperKendall]

The site detected 10 apps on my Mac, but did have one visible side effect at least - the Music.app was opened as part of detection.

It also detected Xcode which was open at the time, it might have the same effect there as well.

Junk results

[Vapula]

Among the detected apps, half were not present (nor were equivalents) on my computer... Which means that changing the browser is likely to produce another result...

Well, it tells from the beginning that chrome under linux may fail ;-)

Funny results / but some are correct

[burni2]

1,) Firefox nor Tor-Browser resulted in the same or even similar Identifier on one system

2.) on normal Firefox it incorrectly listed things like those below.
Which I do not have installed and it is also not running under w10 were Microsoft is jokingly installing each and every thing.

- Xcode
- Slack
- NordVPN
- MS Word
- expressVPN
- Whatsap
- postman
- Telegram
- iTunes
- discord

However it also correctly identified Steam and battle.net - but all else were just false positives

3.) but yes on Torbrowser however it also came up correctly with the two installed apps (steam and battle.net)

Re:

[burni2]

"Addition:"

2.) -> this find was really "unique" - it was equal uniquely 95% wrong

3.) -> this find was seen 6 times

Re:

[burni2]

Addition2:

On Linux/Kubuntu it came up with steam, nordVPN, Slack, Messenger, Steam, Hotspot Shield ..

and it tells me that this is unique.

Fun Fact: none are installed on this system. And it is deemed "unique"

Re:

[burni2]

Addition3:
Chromium on the W-Machine also came back correctly with steam/battle.net

So using firefox and tbb is a good precaution instead of tbb and chromium

Re:

[SixMinutes]

I'm on KDE, and I also saw 24 apps come up in the fingerprint in both browsers I tried, most of which are not installed, including a bunch of Mac and Windows specific stuff. But this is not actually a good thing, the test for these apps may not be reliable but the result is still a fairly distinctive fingerprint.

Re:

[EvilSS]

Ran multiple time on Firefox, got different results each time, with lots of false positives and negatives. Seems to need some work to actually, you know, work.

Re:

[AmiMoJo]

I recommend Tails for using the Tor browser. Run it in a VM if you don't want to reboot.

My install reports 0 installed app (linux).

[rahmrh]

My install reports 0 installed apps (linux).

9.9% of the tested use that (about 1400/17800 have that same setting, so not unique).

I guess you need to use a browser without any app links.

Thankfulyl it doesn't work?

[Captain Arr Morgan]

I had 0 of the 18 apps they claimed I had installed.

Worked for me in Safari

[bubblyceiling]

I have seen this happen in the wild. At times Notion or Apple Music will auto-start. Now it makes sense. For example, if you type in "itunes://" in Safari, the app just auto-opens

Randomization vs anonymization

[Traverman]

User fingerprinting, which is really what browser fingerprinting is attempting to do, is quite difficult to thwart. After all, even the grammar I'm using in this post is extremely helpful in identifying me. You might not know who I am, but even without a panopticon at your disposal, you could do automated searches for pieces of my text and perhaps conclude that I must be the same user as "that guy on that website over there". If I were daft enough to use the same ID on that other site, then your search wou

Thanks, it simply doesn't work

[Nikademus]

With firefox on a Mac, on first try, it detected 18 apps (I only have 3 of them installed).
On the second try, it found only 3 apps (I only have 2 of those installed).
On the third try, it found 23 apps (of which I only have 3 installed).

So, on the same machine, with the same browser, it claims I have 3 unique identifiers.

Hello life!

[AndyKron]

It's a race to the bottom and everyone loses.

Shutdown your browser between sites

[dmitch33]

I shutdown my browser when I surf between multiple sites. Sure, sometimes I don't care but if I don't want to share what sites that I've been to or have visited two or more sites I just shut it down and restart it. Time lost: Less than five seconds. Not a very technical solution but sometimes simple is better.

Not So Much In Safari

[hondo77]

As in the article, the test didn't complete in Safari on my Mac. Heck, it barely got started, finding one app and then hanging.

Nice

[nospam007]

So I will now install Skype and uninstall Teamviewer and Zoom to confuse them before any criminal activity of mine. :-)