Tor Browser 10.0.18 was released by the Tor Project to fix a number of problems, including a vulnerability that allows websites to track users by fingerprinting the apps they have installed on their devices.
The report shows that a tracking profile for a user is constructed by attempting to open multiple application URL handlers, such as zoommtg://, and seeing if the browser displays a prompt similar to the one for Zoom below.
If the app’s prompt appears, it’s safe to presume that the app has been installed on the device.
The vulnerability can generate an ID based on the unique configuration of installed apps on the user’s device by checking for multiple URL handlers.
This ID can then be followed across browsers such as Google Chrome, Edge, Tor Browser, Firefox, and Safari.
This flaw is particularly concerning for Tor users who use the browser to keep their identity and IP address hidden from websites.
Since this flaw follows users between browsers, it may be possible for online sites and even law enforcement to track a user’s genuine IP address if they switch to a non-anonymizing browser like Google Chrome.
The Tor Project has developed a patch for this vulnerability with the release of Tor Browser 10.0.18 by setting the ‘network.protocol-handler.external’ setting to false.
This default setting prevents the browser from sending the handling of a specific URL to an external application, and so the application prompts are no longer triggered.
The full changelog for Tor 10.0.18 is:
- All Platforms
- Update Tor to 0.4.5.9
- Update Fenix to 89.1.1
- Update NoScript to 11.2.8
- Bug 40055: Rebase android-components patches on 75.0.22 for Fenix 89
- Bug 40165: Announce v2 onion service deprecation on about:tor
- Bug 40166: Hide “Normal” tab (again) and Sync tab in TabTray
- Bug 40167: Hide “Save to Collection” in menu
- Bug 40169: Rebase fenix patches to fenix v89.1.1
- Bug 40170: Error building tor-browser-89.1.1-10.5-1
- Bug 40432: Prevent probing installed applications
- Bug 40470: Rebase 10.0 patches onto 89.0
- Build System
- Bug 40290: Update components for mozilla89-based Fenix
By opening the menu, navigating to Help, and selecting About Tor Browser, you can upgrade to Tor Browser 10.0.18, which will automatically check for and install any new updates.