This week, a new version of the open-source Tor Browser was published with updates for a number of vulnerabilities, including one that might allow malicious websites to track users between browsers by identifying programmes installed on their devices.
The flaw, known as scheme flood or protocol flooding, uses custom protocol handlers in browsers to probe desktop computers for installed apps, profile users, and track them across browsers including Chrome, Firefox, Safari, and Tor.
Scheme flood is an attack vector that allows an attacker to find programmes that a user has installed by using custom URL schemes (also known as deep linking, the functionality allows applications to register their own schemes for other applications to open them). The assault takes seconds to complete and is compatible with Windows, Mac OS X, and Linux.
“Depending on the apps installed on a device, a website may be able to identify individuals for nefarious purposes. According to a FingerpringJS alert, “a site may be able to recognise a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous.”
The latest Tor Browser update, now available as Version 10.0.18, protects users from this assault.
The new browser upgrade brings Tor up to version 0.4.5.9 on all platforms and includes all of this iteration’s security improvements and additions, including several critical ones.
The deprecation of version 2 onion services is one of the most significant changes in the browser. For the time being, the deprecation will take place later this year, and all onion service operators will be required to upgrade to version 3.
The changeover, which was first announced in July 2020, is set to be completed on July 15, 2021, when support for v2 onion services will be removed entirely from the codebase.