A new version of the open-source Tor Browser was released this week with patches for multiple vulnerabilities, including one that could allow malicious websites to track users across browsers by identifying applications running on their devices.
The bug, a protocol flooding attack also referred to as scheme flood, relies on custom protocol handlers for browsers to probe desktop computers for installed applications, profile users, and track them across browsers such as Chrome, Firefox, Safari, and Tor.
Scheme flood uses as attack vector custom URL schemes (also referred to as deep linking, the feature allows applications to register their own schemes for other applications to open them) and allows for an attacker to discover applications that a user has installed. The attack usually takes seconds and works cross-platform, on Windows, Mac, and Linux.
“Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes. For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous,” according to an advisory from FingerpringJS.
[ Related: Google Releases PoC for Browser-Based Spectre Attack ]
Now rolling out to users as Version 10.0.18, the latest Tor Browser release prevents this attack.
The new browser release updates Tor to Version 0.4.5.9 on all platforms and includes all of the security fixes and enhancements in this iteration, including several major security fixes.
One of the most important changes in the browser is the deprecation of version 2 onion services. Only announced for the ..
Support the originator by clicking the read the rest link below.
