Hello, welcome to the Friday, May 14, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich,

and the time I'm recording from Jacksonville, Florida. We've got a new cross-browser fingerprinting technique

that comes from Constantine Durutkin from Fingerprint J.S. Fingerprint J.S.

Of course, fingerprinting JavaScript library. And what he found was an interesting cross-browser

vulnerability that allows you to identify a user possibly even if they're using different browsers.

So often privacy conscious users will use one browser for, for example, more sensitive

sites and another browser for business sites. And of course, different browsers keep

different cookies, different extensions and such.

So typically there is little crosstalk between browsers and information sort of stays separate to each browser.

But what Constantine found is there is one interesting issue that's identical for both browsers or all browsers

on the system and really more a feature or property of the system the browsers are running

on and this is registered URL schemes. So typically if you think about a URL, you think about

something like

HTTP colon or HTTP colon, which would be the schemes here for these URLs. But various

applications that are installed are able to register their own schemes, like for example, Skype

colon. So if you are clicking on a URL that starts with Skype colon, then of course, there will

be a pop-up offering you to use Skype.

But what's less known is that the browser can actually check which URL schemes are

registered. And that's exactly what this fingerprinting

technique does. It essentially enumerates software installed on your system. Now, they can't

figure out all software that's installed in your system, only software that has registered a URL scheme.

As part of their proof of concept, they're testing 24 different applications.

...