Tor . Open Source Browser has been updated to version 10.0.18 with fixes for many issues, including grabbing errors fingerprint of users on different browsers based on the applications installed on the computer.
In addition to updating Tor to version 0.4.5.9, the Android version of Tor has also upgraded Firefox to version 89.1.1, along with integrating patches released by Mozilla to fix a number of security vulnerabilities identified resolved in Firefox 89.
The biggest problem fixed is the new fingerprinting attack that appeared last month. The vulnerability allows a malicious website to use information about installed applications on the system to assign users a unique identifier that is permanent even if they switch browsers, use anonymity or VPN.
In other words, the vulnerability takes advantage of a custom URL in an app to attack, allowing hackers to spy on users between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor.
“A website that exploits a security vulnerability can generate a stable and unique identifier that can link that browsing information together,” said FingerprintJS researcher Konstantin Darutkin.
Currently, hackers have exploited 24 installed applications including Adobe, Battle.net, Discord, Epic Games, ExpressVPN, Facebook Messenger, Figma, Hotspot Shield, iTunes, Microsoft Word, NordVPN, Notion, Postman, Sketch, Skype, Slack, Spotify, Steam, TeamViewer, Telegram, Visual Studio Code, WhatsApp, Xcode and Zoom.
This issue has serious privacy implications as it can be exploited by hackers to track Tor users by linking their browsing activities when they switch to a non-anonymous browser, such as Google Chrome. . To prevent this vulnerability, Tor has set “network.protocol-handler.external” to false to block the browser from probing installed applications.
Among the other three browsers, although Google Chrome has built-in protection features, which prevent the launch of any application unless it is triggered by a user action, such as a click .
“Until this vulnerability is fixed, the only way to keep private browsing sessions from being linked to your system is to use another device,” said Darutkin. Tor users are encouraged to quickly download updates to stay protected.”
This incident comes more than a week after encrypted messaging service Wire resolved two critical vulnerabilities in iOS and web apps that could lead to a denial of service (CVE-2021-32666) and allow attackers to user account control (CVE-2021-32683).