- UX feature that helps users determine the links they have visited in the past can be mistreated
- Over the years, there have been several attempts to repair it
- Google claims that the next version of Chrome finally tackles it
Google finally corrects vulnerability in Chrome which has been present since its creation, and which could be used to spy on people’s navigation habits.
In a blog post published in early April, Kyra Seevers of Google explained that when a person clicks on a link displayed in a web page, he goes from blue to purple. The idea behind this design was to improve the user experience and help people sail the web more easily. This change of state is managed by CSS.
However, malicious actors have found different ways to abuse this UX function to spy on people’s navigation habits. For example, a malicious website could include thousands of links to popular websites, but stylize them in a way that visitors do not really see them. The site then uses JavaScript or CSS to verify which of these links should appear purple, effectively learning the sites that the victim has already visited.
Chrome 136 at the rescue
Apparently, the problem is not limited to Chrome, but it is rather present on most browsers today. In fact, the problem is prior to the Chrome browser, which was introduced for the first time in 2008.
“These attacks can reveal which connects a user to visit and flee the details of his web browsing activity,” said Seevers. “This security problem has tormented the web for over 20 years, and browsers have deployed various stopping points to mitigate these history detection attacks. Although the attacks are slowed down by these attenuations, they are not eliminated. ”
However, the next version of the browser, Chrome 136, is supposed to “make these attacks obsolete”. This is accomplished by partitioning: the history of the links visited, said Seevers.
We do not bother you with the technical details of the solution, but if you are interested in reading them, be sure to consult the Seevers blog here.
Chrome 136 should be released at the end of April 2025.
Via The register
