Tor Project released Tor browser version 10.0.18 to fix many bugs, including a vulnerability that allows websites to track users by fingerprinting applications installed on their devices.
To track users, a tracking profile is created for a user trying to open various application URL handlers, such as zoommtg: //, and check if the browser starts a prompt, such as the one for Zoom below.
If the application message is displayed, the application can be considered to be installed on the device. By checking for multiple URL handlers, the vulnerability could generate an ID based on the unique configuration of the installed applications on the user's device.
This ID can then be found in different browsers, such as Google Chrome, Edge, Tor Browser, Firefox, and Safari.
This vulnerability particularly affects Tor users who use the browser to protect their identity and IP address from being logged in to websites. As this vulnerability monitors users in all browsers, it could allow websites, even law enforcement, to track a user's actual IP address when they go to an anonymous browser, such as Google Chrome.
With the release of Tor Browser 10.0.18, the Tor Project introduced a fix for this vulnerability, setting the "network.protocol-handler.external" setting to false.
This default setting will prevent the browser from transferring the handling of a specific URL to an external application and thus no longer activating the application prompts.
The complete changelog for Tor 10.0.18 is:
- Tor update to 0.4.5.9
- Fenix update to 89.1.1
- NoScript update to 11.2.8
- Error 40165: Announcing the removal of the v2 onion service in about: tor
- Error 40166: Hide the "Normal" tab (again) and the Sync tab in TabTray
- Error 40167: Hide "Save to Collection" in the menu
- Error 40169: Restarting fenix repairs on fenix v89.1.1
- Error 40170: Error creating tor-browser-89.1.1-10.5-1
- Error 40432: Prevent detection of installed applications
- Error 40290: Update mozilla89-based Fenix components
You can upgrade to Tor Browser 10.0.18 by opening the menu, going to Help, and selecting About Tor Browser, which will automatically check and install new updates.
Source of information: bleepingcomputer.com