Ancient flaw that allowed hackers to view browsing history patched by Chrome

A UX feature that helps users determine which links they visited in the past can be abused
Over the years, there were multiple attempts to fix it
Google claims the next version of Chrome finally addresses it

Google is finally fixing a vulnerability in Chrome that’s been present since its very inception, and that could be used to spy on people’s browsing habits.

In a blog post published early April, Google’s Kyra Seevers explained that when a person clicks on a link displayed in a web page, it turns from blue to purple. The idea behind this design was to improve the user experience and help people navigate the web easier. This change of state is handled by CSS.

However, malicious actors found different ways to abuse this UX feature to spy on people’s browsing habits. For example, a malicious website could include thousands of links to popular websites, but style them in a way that the visitors don’t actually see them. The site then uses JavaScript or CSS to check which of those links should appear purple, effectively learning which sites the victim already visited.

Chrome 136 to the rescue

Apparently, the problem is not limited to Chrome but instead is present on most browsers these days. In fact, the problem predates the Chrome browser, which was first introduced in 2008.

“These attacks can reveal which links a user has visited and leak details about their web browsing activity,” Seevers explained. “This security problem has plagued the web for over 20 years, and browsers have deployed various stop-gaps to mitigate these history detection attacks. While the attacks are slowed down by these mitigations, they are not eliminated.”

However, the next version of the browser, Chrome 136, is supposed to “render these attacks obsolete.” This is accomplished by partitioning :visited link history, Seevers further stated.

We won’t bore you with the technicalities of the solution, but if you’re interested in reading them, make sure to check out Seevers’ blog here.

Chrome 136 is scheduled for release in late April 2025.

Via The Register

https://cdn.mos.cms.futurecdn.net/x6LMvCvfaP44cXGUjWmq3V-1200-80.jpg

Source link

There’s a horror movie about a killer Easter Bunny and it’s completely free to watch this weekend

IPVanish’s malware protection confirmed among the best on the market

Microsoft’s New Copilot Studio Feature Offers More User-Friendly Automation

Is AI bad for music or is it just another step in the auto-tune timeline?

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

Iran, US to hold talks in Rome in bid to reach nuclear deal

PhonePe converts to public company ahead of planned IPO

Jerome Powell shows why Fed Reserve’s independence matters in a turbulent US

Sebi: MCA, Sebi plan investor camps for faster transfer of unclaimed shares, dividends

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Ancient flaw that allowed hackers to view browsing history patched by Chrome

Iran, US to hold talks in Rome in bid to reach nuclear deal

PhonePe converts to public company ahead of planned IPO

Jerome Powell shows why Fed Reserve’s independence matters in a turbulent US

Sebi: MCA, Sebi plan investor camps for faster transfer of unclaimed shares, dividends

Leave a reply Cancel reply