Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer.
In addition to
updating Tor to 0.4.5.9, the browser's Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several
security vulnerabilities addressed in Firefox 89.
Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed
scheme flooding, the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN.
Put differently, the
weakness takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device's user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor, effectively circumventing cross-browser anonymity protections on Windows, Linux, and macOS.
thehackernews.com
