Google to Patch 23-years Old Chrome Vulnerability That Leaks Browsing History
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Google has announced a significant security improvement for Chrome version 136. This update addresses a 23-year-old vulnerability that could allow malicious websites to snoop on users’ browsing histories.
The fix, called “:visited link partitioning,” makes Chrome the first major browser to completely eliminate this long-standing privacy risk that has plagued web browsers since the early days of CSS.
The Purple Link Issue
Since the web’s early days, browsers have used the CSS :visited selector to style links users have previously clicked, typically turning them purple. This seemingly innocent feature has harbored a serious security flaw that security researchers have warned about for decades.
“What happens when you click a link? It turns purple!” explains Google in its announcement. This color change occurs because browsers apply special styling using the CSS :visited selector:
However, this traditional implementation allowed any website to detect whether a visitor had previously accessed specific URLs by checking if the browser rendered those links as “visited,” effectively leaking browsing history across different sites.
The core problem stems from how browsers maintained a global, unpartitioned list of visited URLs.
This meant that if a user visited Site B through a link on Site A, any other website could later determine that the user had visited Site B, even if the user never clicked a link to Site B from that third site.
Before partitioning
Malicious websites could create invisible links to thousands of popular websites and use various techniques to detect which ones the browser styled as :visited, creating an effective fingerprinting mechanism that revealed users’ browsing patterns.
How Partitioning Fixes The Problem
Chrome’s solution implements “partitioning” that associates visited links with their original context. Instead of maintaining a single global history list, Chrome will now store visited links alongside information about where they were clicked, including:
“Partitioning protects your browsing history by only showing a link as visited if you’ve clicked on that link from this site before,” Google explains.
“This effectively prevents cross-site history leaks while preserving the user experience benefit of visited link styling”.
After Partitioning
Self-Links Exception
To maintain usability, Chrome has implemented a “self-links carveout” that allows websites to display their own subpages as visited, even if the user accessed them from a different site.
Google justifies this exception by noting that “sites have other methods of tracking whether a user has visited its subpages,” so no new privacy risk is introduced.
This carveout only applies to a site’s own subpages. Links to third-party sites or in third-party iframes remain strictly partitioned, enforcing proper security boundaries.
The fix is launching with Chrome version 136, making Google’s browser the first to solve this decades-old security vulnerability completely. Other browsers have previously implemented partial mitigations that slowed down such attacks but did not eliminate them entirely.
Security experts have praised this approach as the right balance between maintaining web compatibility and protecting user privacy, addressing a vulnerability that has persisted since the CSS specification first introduced the :visited selector functionality.
#Chrome #Cyber_Security #Cyber_Security_News #Google #Vulnerability
Оригинальная версия на сайте:
Google to Patch 23-years Old Chrome Vulnerability That Leaks Browsing History
Author: Guru BaranGoogle has announced a significant security improvement for Chrome version 136. This update addresses a 23-year-old vulnerability that could allow malicious websites to snoop on users’ browsing histories.
The fix, called “:visited link partitioning,” makes Chrome the first major browser to completely eliminate this long-standing privacy risk that has plagued web browsers since the early days of CSS.
The Purple Link Issue
Since the web’s early days, browsers have used the CSS :visited selector to style links users have previously clicked, typically turning them purple. This seemingly innocent feature has harbored a serious security flaw that security researchers have warned about for decades.
“What happens when you click a link? It turns purple!” explains Google in its announcement. This color change occurs because browsers apply special styling using the CSS :visited selector:
However, this traditional implementation allowed any website to detect whether a visitor had previously accessed specific URLs by checking if the browser rendered those links as “visited,” effectively leaking browsing history across different sites.
The core problem stems from how browsers maintained a global, unpartitioned list of visited URLs.
This meant that if a user visited Site B through a link on Site A, any other website could later determine that the user had visited Site B, even if the user never clicked a link to Site B from that third site.
Before partitioningMalicious websites could create invisible links to thousands of popular websites and use various techniques to detect which ones the browser styled as :visited, creating an effective fingerprinting mechanism that revealed users’ browsing patterns.
How Partitioning Fixes The Problem
Chrome’s solution implements “partitioning” that associates visited links with their original context. Instead of maintaining a single global history list, Chrome will now store visited links alongside information about where they were clicked, including:
- The link URL
- The top-level site
- The frame origin
“Partitioning protects your browsing history by only showing a link as visited if you’ve clicked on that link from this site before,” Google explains.
“This effectively prevents cross-site history leaks while preserving the user experience benefit of visited link styling”.
After PartitioningSelf-Links Exception
To maintain usability, Chrome has implemented a “self-links carveout” that allows websites to display their own subpages as visited, even if the user accessed them from a different site.
Google justifies this exception by noting that “sites have other methods of tracking whether a user has visited its subpages,” so no new privacy risk is introduced.
This carveout only applies to a site’s own subpages. Links to third-party sites or in third-party iframes remain strictly partitioned, enforcing proper security boundaries.
The fix is launching with Chrome version 136, making Google’s browser the first to solve this decades-old security vulnerability completely. Other browsers have previously implemented partial mitigations that slowed down such attacks but did not eliminate them entirely.
Security experts have praised this approach as the right balance between maintaining web compatibility and protecting user privacy, addressing a vulnerability that has persisted since the CSS specification first introduced the :visited selector functionality.
#Chrome #Cyber_Security #Cyber_Security_News #Google #Vulnerability
Оригинальная версия на сайте:
