Google Chrome Finally Fixes a -Year Privacy Flaw That Leaked Your Browsing History

By /

Introduction: A New Era of Web Privacy Begins

After nearly two decades, Google is addressing a long-overlooked but critical web privacy flaw that quietly exposed users’ browsing histories. The vulnerability exploited how visited links were styled in browsers, allowing malicious websites to determine which links a user had previously clicked—regardless of where they were. With Chrome version 136, Google is implementing a robust solution: triple-key partitioning for :visited links. This update doesn’t just tighten user privacy—it redefines how browsers should handle historical browsing data, setting a new standard for the industry.

Here’s What’s Changing and Why It Matters

  • The Root of the Issue: Since early web design days, browsers have visually marked visited links (typically purple instead of blue) using the CSS :visited selector. While convenient for users, this feature has been misused by clever scripts to read these styles and deduce which URLs a user had previously visited.

  • How It Worked: Sites could run subtle tests using timing attacks, pixel probing, or manipulating user interactions to detect the color change from blue to purple. These changes acted like breadcrumbs, unintentionally revealing browsing behavior.

– Security Risks: This flaw

  • Google’s Long-Awaited Fix: Chrome 136 introduces a privacy-preserving model using triple-key partitioning. Now, whether a link shows as visited will depend on three factors:

1. The link’s URL (target).

  1. The top-level site the user is on (i.e., what appears in the address bar).

3. The frame origin rendering the link.

  • Why It Works: This setup ensures that a site can’t check your activity on another site. In other words, only the same domain and frame where a link was clicked will reflect that it’s been visited, effectively ending cross-site history leaks.

  • Usability Preserved: To prevent usability from taking a hit, Google added an exception for “self-links”. That means if you visit a link within a website, it will still show as visited when browsing other pages of that same site—keeping things user-friendly without compromising privacy.

  • Deprecated Solutions: Google chose not to fully remove the :visited selector or implement a permission system, as these alternatives either harm usability or offer limited protection.

  • How to Enable It Early: For those using Chrome versions 132 to 135, you can manually turn on the feature by going to:

“`

chrome://flags/partition-visited-link-database-with-self-links

“`

Set the flag to “enabled” to activate it. The full rollout is expected in Chrome 136.

– Where Other Browsers Stand:

  • Firefox restricts style changes and blocks JavaScript from reading :visited colors, but lacks the full partitioning model.
  • Safari uses strong privacy tools like Intelligent Tracking Prevention but doesn’t fully isolate visited links either.

What Undercode Say:

Google’s latest privacy fix is more than just a technical update—it’s a philosophical shift in how we approach user privacy in browser design. For years, styling visited links seemed like an innocuous feature. But beneath its surface lay a complex security loophole, easy to exploit and nearly impossible to detect without deep technical know-how.

The new triple-key partitioning is elegant in its simplicity but robust in its defense. By isolating the :visited state across domain, frame origin, and target URL, Google effectively silences decades of vulnerabilities without breaking how the web feels to users.

The decision to keep the :visited selector alive reflects Google’s deep understanding of user experience. Visual cues help users navigate the web—especially those who rely on accessibility tools. Removing these cues would create confusion, particularly on large content-driven websites.

The introduction of a “self-links” exception also shows thoughtful engineering. It maintains usability within a single website while preventing malicious cross-site lookups. This is the kind of balance users expect from modern web security—tight restrictions for bad actors, seamless interaction for everyone else.

While Chrome is taking the lead here, it’s clear that Firefox and Safari still have work to do. Firefox’s restrictions on styles and JavaScript access are helpful but don’t address sophisticated attack methods that leverage deeper system behavior. Safari’s tracking prevention offers broad privacy benefits, but again, it doesn’t tackle the specific case of :visited link isolation.

This patch isn’t just about fixing the past—it’s about setting a precedent. By drawing a hard line on browser-based privacy leaks, Google is sending a message: subtle data leaks won’t be tolerated anymore, no matter how niche or long-standing they may be.

In a world increasingly defined by personal data, even small design decisions like link coloring carry weight. And with this update, Chrome is leading by example—choosing privacy, without sacrificing usability.

Fact Checker Results:

  • ✅ Confirmed: Chrome 136 implements triple-key partitioning for visited links.
  • ✅ Accurate: Exploit methods including timing and pixel attacks have been documented in academic and industry research.
  • ✅ Verified: Competing browsers have only partially addressed this vulnerability, lacking full partitioning models.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image