- A UX feature that helps users to determine which links visited in the past can be abused
- Over the years, there were multiple attempts to fix it
- Google states that Chrome’s next version is finally addressed
Google is finally fixing a vulnerability in Chrome that has been present since its inception, and that could be used to spy on the navigation habits of people.
In a blog post published in early April, the Kyra from Google Seeers explained that when a person clicks on a link shown on a web page, it passes from blue to purple. The idea behind this design was to improve the user experience and help people navigate the website more easily. This change of state is managed by CSS.
However, the malicious actors found different ways of abusing this UX characteristic to spy on people’s navigation habits. For example, a malicious website could include thousands of links to popular websites, but design them in a way that visitors do not see them. Then, the user JavaScript or CSS site to verify which of these links should appear purple, effectively learning which the victim already visited.
Chrome 136 to the rescue
Apparently, the problem is not limited to Chrome, but is present in most browsers these days. In fact, the problem is prior to the Chrome browser, which was first introduced in 2008.
“These attacks can reveal which links a user has visited and leaked details about their web navigation activity,” the Seeers explained. “This security problem has plagued the web for more than 20 years, and browsers have deployed several gaps to mitigate these history detection attacks. While the attacks slow down these mitigations, they are not eliminated.”
However, it is assumed that the next version of the browser, Chrome 136, “makes these obsolete attacks.” This is achieved by partition: Visited Link History, according to the views.
We will not bore it with the technicalities of the solution, but if you are interested in reading them, be sure to check the Severs blog here.
Chrome 136 is scheduled for its launch at the end of April 2025.
Through The registration
