Tor Browser Fixes Vulnerability That Allowed Tracking Users by Installed Applications

The developers of the Tor Project have released a new version of the Tor Browser (10.0.18), which addresses multiple bugs, including a vulnerability that allowed websites to track users based on the list of applications installed on their devices.

Back in May 2021, the company FingerprintJS, known for its work in JavaScript fingerprinting, discovered a vulnerability that made it possible to track users of various browsers by identifying which applications were installed on their devices.

This tracking method works by creating a special tracking profile that attempts to open different URL handlers, such as zoommtg://, to check if the browser tries to interact with an application like Zoom. If the browser responds, it indicates that the application is installed on the device. By cycling through numerous URL handlers, a unique identifier and user profile can be created. This ID can then be used to track users across different browsers, including Google Chrome, Edge, Firefox, Safari, and Tor Browser.

In the Tor Browser 10.0.18 release, the developers fixed this issue by setting the network.protocol-handler.external parameter to false. This setting prevents the browser from passing certain URL handling requests to external applications, effectively blocking this type of attack and stopping websites from compiling a list of installed applications on the device.