When I ran the test on PM, it just popped up the protocol handler dialog asking what to open with, and I canceled it. When I ran it in Chrome, there was a tiny popup window on the side as it rapidly enumerated all installed applications.n our research into anti-fraud techniques, we have discovered a vulnerability that allows websites to identify users reliably across different desktop browsers and link their identities together. The desktop versions of Tor Browser, Safari, Chrome, and Firefox are all affected.
We will be referring to this vulnerability as scheme flooding, as it uses custom URL schemes as an attack vector. The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.
Custom protocol handler exploit, seems to have no power here.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Custom protocol handler exploit, seems to have no power here.
From here -
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Custom protocol handler exploit, seems to have no power here.
I didn't get the dialog but it hung just the same unable to get any information (even with the small pop-up opened)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Custom protocol handler exploit, seems to have no power here.
Do you have any protocol handlers in your profile? I have just one for Skype so it prompted me to pick one.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Custom protocol handler exploit, seems to have no power here.
I think I have a few custom protocol handlers (e.g. for bank ID, btsync, and the like) and I've got some of them set to ask, others to just use the default application. But it can't query them by the looks of it so either way it fails.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Custom protocol handler exploit, seems to have no power here.
Maybe it's OS dependent. When I open the same page in Chromium it shows a warning that the test may not run properly on Chromium + Linux.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Custom protocol handler exploit, seems to have no power here.
Possible, but they do state they tested it cross-platform so if it was possible to query UXP applications that way I'm sure it would happen.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Custom protocol handler exploit, seems to have no power here.
I got an "unexpected error" page.
Looks like I'm safe?
Looks like I'm safe?
Re: Custom protocol handler exploit, seems to have no power here.
Funny. so 3 people tried it with 3 different results? XD
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Custom protocol handler exploit, seems to have no power here.
It looks like it's UA sniffing. If you have Firefox compatibility set or otherwise use a Firefox UA it shows the protocol handler box. If you use native or any UA that isn't one of the big browsers then it errors out.
Re: Custom protocol handler exploit, seems to have no power here.
Still getting errors even when changing user agent strings... well, it's better this way so 
(It's probably some "bad" interaction between the browser and the system, similar to how moonbat reported it not working with Chrome on Linux.)
(It's probably some "bad" interaction between the browser and the system, similar to how moonbat reported it not working with Chrome on Linux.)
Re: Custom protocol handler exploit, seems to have no power here.
Times when security via obscurity helps 
Not that it succeeds when you use a Firefox UA.
Not that it succeeds when you use a Firefox UA.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
-
RealityRipple
- Astronaut
- Posts: 658
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Custom protocol handler exploit, seems to have no power here.
Failed on the first try, detected Skype, Steam, and Battle.net apps when I closed the little window in the corner and refreshed the page.
Kinda surprised otpauth and magnet aren't on that list.
Kinda surprised otpauth and magnet aren't on that list.