Google Chrome Fixes 23-Yr-Outdated Bug That Let Sites See Your Beforehand Visited Links

Google Chrome will quickly obtain a patch for a privateness bug that existed for over twenty years, permitting a malicious web site to determine websites that had been beforehand visited by a person. Over the years, some net browsers beforehand launched some measures to cope with the difficulty, however Google says that the most recent repair prevents websites from utilizing safety exploits to find out hyperlinks visited by a person. The repair will arrive with Google Chrome model 136, which is predicted to roll out later this month.

How :visited Link Partitioning Works

In a publish on the Chrome developer weblog revealed earlier this month, the corporate revealed that it has mounted a difficulty with the CSS :visited selector that might reveal particulars of a person’s looking exercise to a different web site. The browser normally reveals a visited hyperlink in purple as an alternative of blue, indicating the hyperlink — on that web site — it was beforehand clicked by a person. 

:visited {
  colour: purple;
  background-color: yellow;
  }

However, browsers additionally show the visited hyperlinks with the purple color on different web sites, in the event that they included the identical hyperlink. Unscrupulous web sites might then use malicious code to determine hyperlinks within the browser’s :visited historical past. The situation was first recognized in May 2022, which implies the bug is sort of 23 years outdated.

Malicious websites might determine visited hyperlinks on their web site
Photo Credit: Google

This privateness bug existed for over 20 years resulting from a particular purpose — the browser’s :visited historical past was “unpartitioned”. Clicking on a hyperlink would mark it as visited on any web site that featured the identical URL.

In order to patch this bug, Google adopted a three-tier partitioning system that’s designed to stop totally different types of assaults used to find a person’s hyperlink historical past. For starters, Google will solely present a hyperlink as visited if a person clicked it on that exact web site. 

This implies that if a person clicked a hyperlink to Site B on Site A, then Chrome will not reveal the hyperlink to Site B as visited on Site C. As a consequence, the web site can not decide whether or not the person has visited that hyperlink.

Blocking visited historical past on malicious websites utilizing partitioning
Photo Credit: Google

Google Chrome will even restrict the power to examine :visited hyperlinks historical past for frames on web sites. However, An internet site will have the ability to show its personal subpages as :visited, in keeping with Google. As a consequence, hyperlinks to that web site’s personal subpages can seem in purple, whereas hyperlinks to 3rd occasion websites will seem blue, defending person privateness.

Google says the bug has been mounted on Chrome model 136, which is predicted to roll out to customers on the steady channel on April 23. Meanwhile, Google Chrome beta testers and customers who’re working nightly builds of Chrome ought to already be protected against the 23-yeat outdated privateness bug.