Google has made plenty of headlines for tracking Chrome users across the web. But this time it’s different. This time, Google is playing the good guy. Google warns that trackers and even attackers have been abusing Chrome for years through a vulnerability across almost all browsers. But that stops now. At least for Chrome users.
As I reported earlier in the month, Google has issued a very public, very stark warning over the inherent weakness in how browsers display previously clicked links. Put very simply, if your browser enables any website you visit to display all previously clicked links, then that website can collate a view on your web history by including multiple links on its page which will then show which you’ve visited before.
This may seem innocuous — but it isn’t. It’s a loophole that should have been shut many years before. “Since the early days of the internet,” Google says, websites have used this “to apply custom styles to links which users have clicked on before. Using the :visited selector, sites can improve their user experience and help their users navigate the web. However, as the customizability of visited links has increased over time, so too has the growing number of attacks discovered by security researchers.”
The fix is simple. From Google’s next major release, Chrome 136, the data will be partitioned and websites will only be able to see and display links previously clicked from their own top-level domains or subdomains.
It makes browsing more clunky for users, you will no longer be steered away from previously visited sites wherever you are on the web, but you’ll be much safer and won’t be leaving a trail of breadcrumbs.
This had not received much attention, but thankfully that’s changing with increasing coverage of Chrome 136 and this security update. Per Tom’s Guide, “Google will finally stop this 20-year Chrome bug from leaking your browsing history to other websites.” While Cybersecurity News says “Chrome [will]
ensure users’ browsing histories remain shielded from prying eyes, marking a significant leap forward in online security.”
Meanwhile, Bleeping Computer warns that “on other major browsers the :visited styles risk remains partially unaddressed. Firefox limits what styles are applied to :visited and blocks JavaScript from reading them, but there’s no partitioning to isolate them from sophisticated attack vectors. Safari also applies restrictions and uses aggressive privacy protections like Intelligent Tracking Prevention, somewhat mitigating the leaks, but there’s no partitioning to block all attacks.”
As such, the exposure on Chrome — the world’s most popular browser has been worse than elsewhere. The update addresses this and goes further than others. The new version of Chrome is expected soon, with partitioning likely enabled by default. That means just updating your browser will kill this secretive tracking.