Google Chrome Fixes 23-Year-Old Bug That Let Sites See Your Previously Visited Links

Google Chrome will quickly obtain a patch for a privateness bug that existed for over 20 years, permitting a malicious web site to establish websites that had been beforehand visited by a person. Over the years, some net browsers beforehand launched some measures to cope with the difficulty, however Google says that the most recent repair prevents websites from utilizing safety exploits to find out hyperlinks visited by a person. The repair will arrive with Google Chrome model 136, which is anticipated to roll out later this month.

How :visited Link Partitioning Works

In a publish on the Chrome developer weblog printed earlier this month, the corporate revealed that it has fastened a difficulty with the CSS :visited selector that might reveal particulars of a person’s searching exercise to a different website. The browser normally reveals a visited hyperlink in purple as an alternative of blue, indicating the hyperlink — on that website — it was beforehand clicked by a person. 

:visited {
  colour: purple;
  background-color: yellow;
  }

However, browsers additionally show the visited hyperlinks with the purple color on different web sites, in the event that they included the identical hyperlink. Unscrupulous web sites may then use malicious code to establish hyperlinks within the browser’s :visited historical past. The subject was first recognized in May 2022, which implies the bug is sort of 23 years outdated.

Malicious websites may establish visited hyperlinks on their web site
Photo Credit: Google

This privateness bug existed for over 20 years resulting from a selected purpose — the browser’s :visited historical past was “unpartitioned”. Clicking on a hyperlink would mark it as visited on any web site that featured the identical URL.

In order to patch this bug, Google adopted a three-tier partitioning system that’s designed to stop totally different types of assaults used to find a person’s hyperlink historical past. For starters, Google will solely present a hyperlink as visited if a person clicked it on that individual website. 

This implies that if a person clicked a hyperlink to Site B on Site A, then Chrome will not reveal the hyperlink to Site B as visited on Site C. As a end result, the web site can now not decide whether or not the person has visited that hyperlink.

Blocking visited historical past on malicious websites utilizing partitioning
Photo Credit: Google

Google Chrome may even restrict the flexibility to test :visited hyperlinks historical past for frames on web sites. However, A web site will have the ability to show its personal subpages as :visited, in accordance with Google. As a end result, hyperlinks to that website’s personal subpages can seem in purple, whereas hyperlinks to 3rd social gathering websites will seem blue, defending person privateness.

Google says the bug has been fastened on Chrome model 136, which is anticipated to roll out to customers on the secure channel on April 23. Meanwhile, Google Chrome beta testers and customers who’re operating nightly builds of Chrome ought to already be shielded from the 23-yeat outdated privateness bug.