Privacy-busting vulnerability links different browsers installed on the same computer

The scheme-flooding vulnerability can be used to figure out when different browsers have been installed on the same computer. It generates the same semi-unique ID for each browser on the computer, including Tor browser and incognito browser windows. I went to the demo site,, in Safari and in a Chrome Incognito window and got the same identifier both times. It said my identifier “was seen 18 times among 5190 tests so far. That means it is 99.65% unique.”

The exploit works by using URL schemes such as “messenger://” to check which apps are installed on your computer. If it checks 32 apps, it generates a 32-bit identifier (not with 32 bits of entropy, though).

Here are two ways the identifier could be made more even specific:

  • by enlarging the fixed list of apps to check for
  • by using a dynamic search strategy that repeatedly checks for the app whose presence or absence it predicts will give the most signal depending on the results seen so far (both from the current browser and from previously-tested browsers)