Tor Browser update no longer tracks what apps users install
Tor Browser 10.0.18 update patches a scheme flooding vulnerability
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
After releasingTor Browser 10.0last year, the Tor Project has released a new incremental update for its browser that contains fixes for a number of bugs including one that could allow websites totrack usersbased on the apps installed on their devices.
As reported byBleepingComputer, back in May, the fingerprinting firm FingerprintJS released details on a ‘scheme flooding’ vulnerability that could be exploited to track users across several differentbrowsersbased solely on the applications they’ve installed.
In order to track users, a tracking profile is created for each user by trying to open several application URL handlers and checking if the browser then launches a prompt. For those unfamiliar, these application URL handlers are often used byvideo conferencing softwaresuch asZoomto launch a meeting after a link is clicked on in a user’s browser.
If an application displays a prompt, then it’s safe to assume that the software is installed on a user’s device. The scheme flooding vulnerability disclosed by FingerprintJS checks these URL handlers in order to create an ID for each user based on the unique configuration of apps installed on their devices.
Preventing unwanted tracking in Tor
The ID created based on a user’s installed apps can even be tracked across several different browsers includingGoogleChrome,MicrosoftEdge, Tor Browser, Firefox andSafari.
However, this vulnerability is especially concerning forTor userssince one of the main draws of theanonymous browseris being able to protect one’s identity and IP address from being logged by the sites they visit. Since this vulnerability can track users across browsers, it could be used by websites and potentially even law enforcement to track a user’s real IP address when they switch to Chrome or any other browser after using Tor.
Thankfully though, the Tor Project has patched this vulnerability with the release of Tor Browser 10.0.18 which fixes the issue by setting the browser’s ‘network.protocol-handler.external’ setting to false. Once updated, the browser won’t be able to pass the handling of URLs to external applications and no more application prompts will appear that can be used to track users.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Tor Browser users can protect themselves from this vulnerability by opening the browser’s menu, going toHelpand selectingAbout Tor Browserto automatically check for and install any new updates. However, the new update can also be downloaded manually from theTor Browser download pageor the Tor Project’sdistribution directory.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
Anker Nebula Mars 3 review: A powerful and truly portable projector
