Custom protocol handler exploit, seems to have no power here.

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Post Reply
User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 3276
Joined: 2015-12-09, 15:45
Contact:

Custom protocol handler exploit, seems to have no power here.

Post by moonbat » 2021-05-14, 04:19

From here -
n our research into anti-fraud techniques, we have discovered a vulnerability that allows websites to identify users reliably across different desktop browsers and link their identities together. The desktop versions of Tor Browser, Safari, Chrome, and Firefox are all affected.

We will be referring to this vulnerability as scheme flooding, as it uses custom URL schemes as an attack vector. The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.
When I ran the test on PM, it just popped up the protocol handler dialog asking what to open with, and I canceled it. When I ran it in Chrome, there was a tiny popup window on the side as it rapidly enumerated all installed applications.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 20.1 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 30250
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by Moonchild » 2021-05-14, 11:44

I didn't get the dialog but it hung just the same unable to get any information (even with the small pop-up opened)
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 3276
Joined: 2015-12-09, 15:45
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by moonbat » 2021-05-14, 11:54

Do you have any protocol handlers in your profile? I have just one for Skype so it prompted me to pick one.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 20.1 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 30250
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by Moonchild » 2021-05-14, 11:55

I think I have a few custom protocol handlers (e.g. for bank ID, btsync, and the like) and I've got some of them set to ask, others to just use the default application. But it can't query them by the looks of it so either way it fails.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 3276
Joined: 2015-12-09, 15:45
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by moonbat » 2021-05-14, 11:57

Maybe it's OS dependent. When I open the same page in Chromium it shows a warning that the test may not run properly on Chromium + Linux.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 20.1 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 30250
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by Moonchild » 2021-05-14, 11:58

Possible, but they do state they tested it cross-platform so if it was possible to query UXP applications that way I'm sure it would happen.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

vannilla
Board Warrior
Board Warrior
Posts: 1689
Joined: 2018-05-05, 13:29

Re: Custom protocol handler exploit, seems to have no power here.

Post by vannilla » 2021-05-14, 11:59

I got an "unexpected error" page.
Looks like I'm safe? :eh:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 30250
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by Moonchild » 2021-05-14, 12:00

Funny. so 3 people tried it with 3 different results? XD
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
Lootyhoof
Themeist
Themeist
Posts: 1499
Joined: 2012-02-09, 23:35
Location: United Kingdom

Re: Custom protocol handler exploit, seems to have no power here.

Post by Lootyhoof » 2021-05-14, 12:34

It looks like it's UA sniffing. If you have Firefox compatibility set or otherwise use a Firefox UA it shows the protocol handler box. If you use native or any UA that isn't one of the big browsers then it errors out.

vannilla
Board Warrior
Board Warrior
Posts: 1689
Joined: 2018-05-05, 13:29

Re: Custom protocol handler exploit, seems to have no power here.

Post by vannilla » 2021-05-14, 14:20

Still getting errors even when changing user agent strings... well, it's better this way so :shh:
(It's probably some "bad" interaction between the browser and the system, similar to how moonbat reported it not working with Chrome on Linux.)

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 3276
Joined: 2015-12-09, 15:45
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by moonbat » 2021-05-14, 14:22

Times when security via obscurity helps ;)
Not that it succeeds when you use a Firefox UA.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 20.1 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
RealityRipple
Lunatic
Lunatic
Posts: 308
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Custom protocol handler exploit, seems to have no power here.

Post by RealityRipple » 2021-05-15, 19:52

Failed on the first try, detected Skype, Steam, and Battle.net apps when I closed the little window in the corner and refreshed the page.

Kinda surprised otpauth and magnet aren't on that list.

Post Reply