Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Tor Browser Patches Application Probing Vulnerability

A new version of the open-source Tor Browser was released this week with patches for multiple vulnerabilities, including one that could allow malicious websites to track users across browsers by identifying applications running on their devices.

A new version of the open-source Tor Browser was released this week with patches for multiple vulnerabilities, including one that could allow malicious websites to track users across browsers by identifying applications running on their devices.

The bug, a protocol flooding attack also referred to as scheme flood, relies on custom protocol handlers for browsers to probe desktop computers for installed applications, profile users, and track them across browsers such as Chrome, Firefox, Safari, and Tor.

Scheme flood uses as attack vector custom URL schemes (also referred to as deep linking, the feature allows applications to register their own schemes for other applications to open them) and allows for an attacker to discover applications that a user has installed. The attack usually takes seconds and works cross-platform, on Windows, Mac, and Linux.

“Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes. For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous,” according to an advisory from FingerpringJS.

[ Related: Google Releases PoC for Browser-Based Spectre Attack ]

Now rolling out to users as Version 10.0.18, the latest Tor Browser release prevents this attack.

The new browser release updates Tor to Version 0.4.5.9 on all platforms and includes all of the security fixes and enhancements in this iteration, including several major security fixes.

One of the most important changes in the browser is the deprecation of version 2 onion services. Only announced for the time being, the deprecation will take place later this year and will require for all onion service operators to migrate to version 3.

Initially announced in July 2020, the switch is expected to be completed on July 15, 2021, when support for v2 onion services will be completely removed from the codebase.

Related: Google Offers UK Watchdog Role in Browser Cookie Phase-Out

Related: Google Releases PoC Exploit for Browser-Based Spectre Attack

Related: Threat Actor Uses Browser Extension to Hack Gmail Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.