Google Chrome will soon receive a patch for a privacy bug that existed for over two decades, allowing a malicious website to identify sites that were previously visited by a user. Over the years, some web browsers previously introduced some measures to deal with the issue, but Google says that the latest fix prevents sites from using security exploits to determine links visited by a user. The fix will arrive with Google Chrome version 136, which is expected to roll out later this month.
How :visited Link Partitioning Works
In a post on the Chrome developer blog published earlier this month, the company revealed that it has fixed an issue with the CSS :visited selector that could reveal details of a user’s browsing activity to another site. The browser usually shows a visited link in purple instead of blue, indicating the link — on that site — it was previously clicked by a user.
:visited {
color: purple;
background-color: yellow;
}
However, browsers also display the visited links with the purple colour on other websites, if they included the same link. Unscrupulous websites could then use malicious code to identify links in the browser’s :visited history. The issue was first identified in May 2022, which means the bug is nearly 23 years old.
Malicious sites could identify visited links on their website
Photo Credit: Google
This privacy bug existed for over 20 years due to a specific reason — the browser’s :visited history was “unpartitioned”. Clicking on a link would mark it as visited on any website that featured the same URL.
In order to patch this bug, Google adopted a three-tier partitioning system that is designed to prevent different forms of attacks used to discover a user’s link history. For starters, Google will only show a link as visited if a user clicked it on that particular site.
This means that if a user clicked a link to Site B on Site A, then Chrome won’t reveal the link to Site B as visited on Site C. As a result, the website can no longer determine whether the user has visited that link.
Blocking visited history on malicious sites using partitioning
Photo Credit: Google
Google Chrome will also limit the ability to check :visited links history for frames on websites. However, A website will be able to display its own subpages as :visited, according to Google. As a result, links to that site’s own subpages can appear in purple, while links to third party sites will appear blue, protecting user privacy.
Google says the bug has been fixed on Chrome version 136, which is expected to roll out to users on the stable channel on April 23. Meanwhile, Google Chrome beta testers and users who are running nightly builds of Chrome should already be protected from the 23-yeat old privacy bug.
