Cross-Browser Bug “Scheme Flooding” Enables New Way to Track Users
Beyond cookies & VPNs
An old bug
URI scheme sharing
It’s referred to as scheme flooding. When certain applications are installed, they create a custom URI scheme that is used by the browser to launch that specific application given a specifically formed URL. Many applications have registered custom URI schemes. This includes Facetime, Last.fm, Slack, Zoom, Skype, Spotify, Steam, Unreal and more. A custom URI scheme facilitates the sharing of content and the launching of applications from the browser. Try entering in skype:// into your browser’s address bar and hit enter.
An open invite to overshare
Chrome has taken some steps to combat this vulnerability, but there are still known workarounds they are trying to plug. Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari, and the privacy-focused Tor are all susceptible to the bug.
Maintaining your privacy is a Whack-a-mole problem. The industry is dreaming up more creative means of identifying you as they wait on tracking cookies to be fully phased out by browsers. Think FLoC, Browser Fingerprinting, and now Scheme Flooding. Until Scheme Flooding is fixed, the only means of avoidance is to use physically separate devices. Separate browsers on the same system will result in the same fingerprint.