Custom browser protocol handlers may be used for fingerprinting

[harlan4096]

When you install certain applications on your desktop systems, so-called custom protocol handlers may be added. These are used to launch the application in question, e.g. to initiate a Skype call or open a game on Steam.

Popular applications such as Skype, Spotify, Discord, WhatsApp, TeamViewer, or Slack make use of custom protocols.
Sites may test for support for these protocols in a browser and use the information for fingerprinting.

A demo site has been created that checks if the custom protocol handlers of 24 applications are supported (on Windows). A total of 32 different application protocol handlers are supported right now.

The identification works across operating systems and browsers. It can be used, at least in theory, to identify a user based on the results of the test alone.

The demo site computes an identifier based on its findings each time the test is run. The developers suggest that you may run the test in different browsers, e.g. Firefox, Chrome. Safari and Tor Browser, to check if you can be identified based on the support of external protocols.

Fingerprinting can be improved by using other identifying factors next to those used in the demo. The checks for the supported custom protocol handlers are clearly visibly when you run the demo in three of the four browsers that are officially supported (Chrome, Firefox and Safari).

The information may be used to identify users of the Tor browser, but also for targeted advertisement or user tracking and profiling. The type of applications that are installed may reveal valuable information to advertisers and potentially also to malicious actors. A user who has several game clients installed may respond well to game-related ads, while a TeamViewer or Slack user to business-related ads.

The developers reveal how they managed to run the identification script in the four tested browsers. They note that Google appears to be aware of this and is working on a solution to prevent the attack from taking place. It is likely that other browser companies will implement security protections of their own to block this attack from being successful.

Bugs were reported to Mozilla, Google and Apple. You can check the bug on Mozilla's bug tracking site to find out if and when it gets fixed in Firefox (and Tor).

The source code for the demos has been released on GitHub.

As far as protection in the meantime is concerned, a script-blocker may prevent the attack from being carried out in the first place.

Now You: do you have programs with custom protocol handlers installed on your devices?
...

Continue Reading