Ancient flaw that allowed hackers to view your Chrome browser history has finally been patched, so update now

Google is finally fixing a vulnerability in its Chrome browser that’s been present since its very inception, and that could be used to spy on people’s web surfing habits.

In a blog post, Google’s Kyra Seevers explained that when a person clicks on a link displayed in a web page, it turns from blue to purple. The idea behind this design was to improve the user experience and help people navigate the web easier.

This change of state is handled by CSS, but malicious actors found different ways to abuse this UX feature to spy on people’s browsing habits. For example, a malicious website could include thousands of links to popular websites, but style them in a way that the visitors don’t actually see them. The site then uses JavaScript or CSS to check which of those links should appear purple, effectively learning which sites the victim already visited.

Chrome 136 to the rescue

Apparently, the problem is not limited to Chrome but instead is present on most browsers these days. In fact, the problem predates Chrome, which was first introduced in 2008.

“These attacks can reveal which links a user has visited and leak details about their web browsing activity,” Seevers explained.

“This security problem has plagued the web for over 20 years, and browsers have deployed various stop-gaps to mitigate these history detection attacks. While the attacks are slowed down by these mitigations, they are not eliminated.”

However, the next version of the browser, Chrome 136, is supposed to “render these attacks obsolete.” This is accomplished by partitioning :visited link history, Seevers further stated.

Chrome 136 is scheduled for release in late April 2025.

Via The Register

You might also like

• Google Chrome security flaw could have let hackers spy on all your online habits
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app