fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Cross-browser Tracking Vulnerability Tracks You Via Installed Apps

Cross-browser Tracking Vulnerability Tracks You Via Installed Apps

Researchers have developed a way to track a user across different browsers on the same machine by querying the installed applications on the device.

Certain applications, when installed, will create custom URL schemes that the browser can use to launch a URL in a specific application.

For example, the custom URL scheme for a Zoom web meeting is zoommtg://, which when opened, will prompt the browser to launch the Zoom client, as shown below.

The application opened via a customer URL handler
The application opened via a customer URL handler

Over a hundred different custom URL handlers configured by applications exist, including Slack, Skype, Windows 10, and even steam.

Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings

Cross-browser tracking using URL schemes

A researcher from one of the most well-known fingerprinting scripts, FingerprintJS, has disclosed a vulnerability that allows a website to track a device’s user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor.

“Cross-browser anonymity is something that even a privacy conscious internet user may take for granted. Tor Browser is known to offer the ultimate in privacy protection, though due to its slow connection speed and performance issues on some websites, users may rely on less anonymous browsers for their every day surfing,” explains a new vulnerability report by FingerprintJS’ Konstantin Darutkin.

“They may use Safari, Firefox or Chrome for some sites, and Tor for sites where they want to stay anonymous. A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together.”

To perform cross-browser tracking using scheme flooding, a website builds a profile of applications installed on a device by attempting to open their known URL handlers and checking if the browser launches a prompt.

If a prompt is launched to open the application, then it can be assumed that the specific app is installed. By checking for different URL handlers, a script can use the detected applications to build a unique profile for your device.

As the installed applications on a device are the same regardless of the browser you are using, this could allow a script to track a user’s browser usage on both Google Chrome and an anonymizing browser such as Tor. 

To test this vulnerability, we visited Darutkin’s demo site at schemeflood.com with Microsoft Edge, where a script launches URL handlers for a variety of applications to determine if they are installed.

When completed, a unique identifier was shown on my profile that was also the same for tests using different browsers on my PC, including Firefox, Google Chrome, and Tor.

ID generated for my device
ID generated for my device

Darutkin’s scheme flooding vulnerability currently checks for the following twenty-four applications, Skype, Spotify, Zoom, vscode, Epic Games, Telegram, Discord, Slack, Steam, Battle.net, Xcode, NordVPN, Sketch, Teamviewer, Microsoft Word, WhatsApp, Postman, Adobe, Messenger, Figma, Hotspot Shield, ExpressVPN, Notion, and iTunes.

It is possible that multiple users can have the same combination of installed programs, leading to the same profile ID.

Existing mitigations can be bypassed

Of the four major browsers tested by Darutkin, only Google Chrome had previously added mitigations to prevent this type of attack by preventing multiple attempts to use URL handlers without a user gesture (interaction).

However, Darutkin discovered that triggering a built-in Chrome extension, such as the Chrome PDF Viewer, bypasses this mitigation.

“The built-in Chrome PDF Viewer is an extension, so every time your browser opens a PDF file it resets the scheme flood protection flag. Opening a PDF file before opening a custom URL makes the exploit functional,” explains Darutkin.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

Microsoft Edge Program Manager Eric Lawrence has acknowledged the attack, and Chromium and Microsoft engineers are working on a fix in a new bug report.

Until browsers add working mitigations for this attack, the only way to prevent this method of cross-browser tracking is to use a browser on a different device.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us