Software

Tor Browser Vulnerability Fixed Which Allowed Tracking Via Apps

A vulnerability undermines the important Tor function, which regularly protects identity and IP address from being logged by websites. This means that users can also be tracked across browsers – but the Tor project has provided an update.

This is reported by Bleeping Computer. You can also find the update from the official website. The Tor Project has released version 10.0.18 of the Tor browser to fix numerous bugs. This also includes a vulnerability that allows websites to trace users by fingerprinting the applications installed on their devices. In short, users were probably no longer fully protected from tracking for a few versions.

Standard Settings Changed Via Update

With the release of the Tor browser 10.0.18, the Tor project introduced a fix for this vulnerability by setting the setting in ‘network.protocol-handler.external’ to false. This standard-setting prevents the browser from forwarding the handling of a specific URL to an external application and thus no longer triggering the application requests.

A company specializing in the use of fingerprints for security releases had previously discovered the bug that allowed browsers to track which apps were used on a PC. The so-called “Scheme Flooding” vulnerability can be used to check via a command prompt whether certain apps are installed on a device. By checking for numerous URL handlers, an ID can then be created that is based on the unique configuration of the installed apps on the user’s device. This ID can then be tracked across different browsers, including Google Chrome, Edge, Tor Browser, Firefox, and Safari.

This vulnerability is of particular concern to Tor users who use the browser to protect their identity and IP address from being logged by websites. Since this vulnerability tracks users across all browsers, it could allow websites and even law enforcement agencies to track a user’s real IP address when they switch to a non-anonymizing browser like Google Chrome.