Cross-Browser Bug “Scheme Flooding” Enables New Way to Track Users

Scheme Flooding Bug Post Header Image

Beyond cookies & VPNs

There are many other ways to track us online, including Canvas and Browser Fingerprinting.  Even if you take precautions to protect your online privacy, reject all cookies and even use a VPN, you can and often are still tracked.  Browser fingerprinting happens when JavaScript can collect and combine enough unique information about you, such as your browser, time zone, default language, settings, and more. This information can then be used to uniquely identify and track you across sites. It’s a prevalent privacy violation that happens outside of what cookie consent management platforms (CSP) handle.

An old bug

Researchers at FingerprintJS have discovered a bug that has been present in all browsers for about 5 years. It allows JavaScript to collect a list of your installed desktop applications. This happens regardless of the browser or if you are using Windows or Mac. Together with other settings, this information can be used to generate a unique fingerprint of you.  The vulnerability is not known to be heavily utilized, but it is scary to think you are trackable even if you’ve taken steps to use a VPN and privacy-focused browser.

URI scheme sharing

It’s referred to as scheme flooding. When certain applications are installed, they create a custom URI scheme that is used by the browser to launch that specific application given a specifically formed URL. Many applications have registered custom URI schemes. This includes Facetime, Last.fm, Slack, Zoom, Skype, Spotify, Steam, Unreal and more. A custom URI scheme facilitates the sharing of content and the launching of applications from the browser. Try entering in skype:// into your browser’s address bar and hit enter. 

An open invite to overshare

The problem is that browsers expose different indicators that can be used to tell if an application is installed or not. The exploit uses JavaScript to open a series of popups with different application-specific URI schemes. The findings are then used to build a fingerprint of you. This can be demonstrated using the application built by FingerprintJS. This application currently tests for the presence of a subset of applications but could easily be extended to more for additional accuracy.

Chrome has taken some steps to combat this vulnerability, but there are still known workarounds they are trying to plug.  Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari, and the privacy-focused Tor are all susceptible to the bug.

Stay vigilant

Maintaining your privacy is a Whack-a-mole problem. The industry is dreaming up more creative means of identifying you as they wait on tracking cookies to be fully phased out by browsers. Think FLoC, Browser Fingerprinting, and now Scheme Flooding. Until Scheme Flooding is fixed, the only means of avoidance is to use physically separate devices. Separate browsers on the same system will result in the same fingerprint.