Google Chrome Устраняет 23-Летний Риск: Как Новый Патч Защищает Ваши Приватные Ссылки от Неэтичных Сайтов

Google Chrome is set to implement a fix for a privacy flaw that persisted for more than 20 years, which enabled malicious web pages to recognize sites that a user had previously accessed. Throughout the years, various web browsers have attempted to address this concern, yet Google states that the upcoming solution will prevent websites from exploiting security vulnerabilities to ascertain links that a user has visited. This correction will be included in Google Chrome version 136, anticipated to be released later this month.

Understanding :visited Link Partitioning

In a blog post on the Chrome developer site published earlier this month, the company disclosed that it has resolved an issue with the CSS :visited selector that could expose information about a user’s browsing habits to other sites. Typically, a visited link is displayed in purple instead of blue, signaling that the link — on that specific site — has been previously clicked by the user. 

Nonetheless, browsers also depict visited links in purple across other websites if those sites contained the same link. Unscrupulous sites could exploit this to determine links in the browser’s :visited history. The vulnerability was detected in May 2022, meaning it has been present for almost 23 years.

Malicious sites could recognize visited links on their platform
Photo Credit: Google

This privacy flaw endured for over 20 years because of a specific characteristic — the browser’s :visited history was «unpartitioned.» Clicking on a link would mark it as visited across any site containing the identical URL.

To remedy this flaw, Google implemented a three-tier partitioning system aimed at thwarting various forms of attacks designed to uncover a user’s link history. Initially, Google will only classify a link as visited if a user clicked on it on that specific site. 

This implies that if a user clicks a link to Site B while on Site A, Chrome will not indicate the link to Site B as visited on Site C. Consequently, that website can no longer ascertain whether the user has accessed that link.

Preventing identification of visited history on malicious sites through partitioning
Photo Credit: Google

Google Chrome will also restrict the capacity to examine :visited link histories for frames on websites. Nevertheless, a website can denote its own subpages as :visited, per Google’s guidelines. This means links to a site’s own subpages may appear in purple, while links to external sites will show as blue, thus safeguarding user privacy.

Google confirms that the flaw has been rectified in Chrome version 136, which is slated for release to users on the stable channel on April 23. Meanwhile, beta testers and users operating nightly builds of Chrome should already be safeguarded against this long-standing privacy issue.