Google patches longstanding privacy issue in Chrome

Google is addressing a longstanding privacy issue in Chrome that allowed websites to detect users' browsing history by checking the styling of visited links. This vulnerability, present for over two decades, enabled malicious sites to determine which links a user had previously clicked, posing significant privacy and security risks.

The problem stemmed from the browser's handling of the ':visited' CSS selector, which changes the appearance of links that a user has already visited. By exploiting this feature, websites could infer a user's browsing history without their consent.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

With the release of Chrome version 136, Google is implementing a fix by introducing triple-key partitioning. This approach ensures that the visited status of links is stored in a way that is specific to the combination of the link's URL, the top-level site, and the user's profile, thereby preventing cross-site tracking of link visits.

This update is part of Google's broader efforts to enhance user privacy and security in its browser. Users are encouraged to update to the latest version to benefit from these improvements.

Source: Bleeping Computer

Analysis

The privacy flaw that allowed websites to detect a user's browsing history by checking the visual styling of visited links has affected all major browsers over the years. Most modern browsers have implemented mitigations against this long-standing privacy flaw, though the strength and transparency of those measures vary.

Browsers like Firefox, Safari, and now Chrome have each taken different approaches to address the issue. Firefox, for instance, has long restricted the styles that can be applied to visited links and ensures that scripts can't detect those style changes, effectively neutralizing history sniffing via this method.

Other Chromium-based browsers like Microsoft Edge and Opera have inherited Chrome's underlying behavior and may adopt this fix soon, though they also restrict user control over other tracking mechanisms like hyperlink auditing. Brave, known for its strong privacy stance, disables such tracking features by default, while Apple’s Safari has implemented similar style restrictions but removed the option to disable hyperlink auditing, drawing some criticism from privacy advocates.

Chrome’s new triple-key fix is a significant step forward, and other browsers may follow suit to further close off this subtle yet serious vector for history-based tracking.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for web browser-related threats. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these threats.

Field Effect MDR users are automatically notified if a potentially vulnerable version of Chrome is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect recommends that users keep web browsers up to date by enabling automatic updates. This will ensure that the latest security updates are installed as soon as possible, providing threat actors with a smaller window in which they can conduct attacks.

Related Articles

• Critical sandbox escape flaws in Firefox and Chrome patched
• 33 Chrome extensions found to be malicious
• Another Chrome zero-day exploited in the wild, patch now