Thanks for testing it on Windows. We mostly tested it on MacOS Big Sur because all devs on the team have that OS.
With Windows different timings might be needed, we'll check into it tomorrow.
yeah, chrome/chromium on linux not tested at all, mostly because nobody on the team is using linux. We tested it on MacOS Big Sur and a bit of Windows.
Full table of what was tested here: https://github.com/fingerprintjs/external-protocol-flooding#... dathinab
Clever indeed; I only suspected this the second go-round, after I noticed the reload button flicker as I typed. I also noticed you don't have to press Enter or even type the correct phrase to get past the fake prompt. In hindsight, the easy to guess text should have been a dead give-away, but it wasn't.
Windows 10 does some garbage where it installs handlers for URL schemas that take you to the windows store install page for the app. The vulnerability is only testing if you have an handler installed for skype:// not what application is actually handling it.
Yeah, we tested it on MacOS Big Sur mostly. Nobody on the team had linux so we didn't really test there.
It can be made to work with better timings for the measurements etc.
Browsers open pop-ups to ask "Can I run that application?" but only if that application is installed. If that application is not installed, the browser will ignore the custom URL.
It looks like a mitigation might be that in the event you do not have the application installed, to return a "denied" status and send a prompt to the user like "Unknown application protocol".
Something like that could still would be susceptible to a timing attack though.
Yes I believe the proper fix would be to always behave as if a popup is showing, independent of weather or not it actually shows.
Through it's maybe slightly more complex as you might need to behave as if the user clicked cancel in a way where a attacker can not easily differentiate it from an actual user clicking cancel.
