Google Chrome is set to address a long-standing privacy vulnerability that has persisted for over 20 years, allowing malicious websites to track previously visited sites by users. Although various web browsers have attempted to mitigate this issue over the years, Google asserts that its upcoming update will effectively seal off avenues for sites to exploit security flaws to uncover users’ browsing history. The correction will be included in Google Chrome version 136, expected to be released later this month.
Mechanism of :visited Link Partitioning
In a recent blog post on Chrome’s developer platform, the company detailed the resolution of a problem associated with the CSS :visited selector, which posed risks by disclosing parts of a user’s browsing history to other websites. Traditionally, browsers have highlighted visited links in purple rather than blue, marking them as previously accessed by the user.
:visited {
color: purple;
background-color: yellow;
}
However, links that had been visited could also be indicated in the same way by other sites if they featured the same URL. Malicious entities were therefore able to deploy harmful code to track these visited links. This vulnerability was initially flagged in May 2022, marking the bug’s nearly 23-year existence.
Malicious sites could determine visited links on their platform
Photo Credit: Google
The longevity of this privacy issue can be attributed to the “unpartitioned” state of the browser’s :visited history, where clicking a link would classify it as visited across all sites that contained the same URL.
To rectify this flaw, Google has implemented a robust three-tier partitioning system aimed at thwarting various forms of attacks that might seek to unearth a user’s link history. Under this new protocol, a link will only be marked as visited if the user has clicked it specifically on that site.
Consequently, if a user clicks a link to Site B while on Site A, Chrome will not categorize that link as visited when viewed from Site C. This change means that other sites will not be able to ascertain whether the user has accessed that link before.
Blocking visited link history on malicious sites through partitioning
Photo Credit: Google
Additionally, Google Chrome will restrict the ability to track :visited link history through website frames. Nevertheless, a site will be permitted to display its subpages as :visited, enabling links to its own pages to appear in purple while links to external sites remain blue, thereby safeguarding user privacy.
The vulnerability has been resolved in Chrome version 136, which is projected to be available to users on the stable channel starting April 23. Meanwhile, beta testers and users engaged with nightly builds of Chrome should already have protection against this long-standing privacy issue.
