A long-standing security vulnerability, affecting web browsing across multiple platforms, has been addressed by Google Chrome, marking a significant step forward in online privacy. For years, the familiar visual cue—the shift from blue to purple when clicking on links appearing in Google search results—has indicated whether a page has been previously visited. While intended as a convenience feature, this functionality inadvertently created an opening for potential exploitation.
The root of the problem lies in how browsers historically handled data associated with these link color changes. The issue, described by Google as a “core design flaw,” involved what they call “unpartitioned” cookies—data that tracks clicked links to determine which should appear in purple. This tracking mechanism, while seemingly innocuous, allowed malicious actors to potentially reconstruct a user’s browsing history by observing patterns and timing discrepancies.
As Software Engineer Kyra Seevers explained in a recent Google blog post: “These attacks can reveal which links a user has visited and leak details about their web browsing activity.” The vulnerability, first highlighted with a proof-of-concept attack in 2002—referenced by research from Princeton University—has persisted for over two decades. Though browsers have implemented various measures to mitigate the risk, they haven’t been entirely successful.
Google’s latest update addresses this directly. It now stores data related to visited links separately, preventing information sharing across websites.
“With this fix, Chrome is the first major browser to render these attacks obsolete,” Seevers stated. To ensure protection, users need to be running Google Chrome Version 136 or higher. The update process typically occurs automatically; however, users can manually check for updates by navigating to Help > About Chrome within the browser’s menu (represented by three dots in the top-right corner).
It’s important to note that this vulnerability isn’t limited to Google Chrome.
Research dating back to 2009 demonstrated similar vulnerabilities in Safari, Apple’s web browser. While Apple employs privacy features like Intelligent Tracking Prevention and various restrictions, they haven’t implemented a full partition to block all attacks. Mozilla has also taken steps within Firefox by limiting the styles applied to this feature and blocking JavaScript access to the list of URLs intended for purple highlighting. However, these approaches don’t offer the same level of isolation achieved by Google’s new partitioning strategy.
- Google Chrome Version 136 or newer is required for full protection against this vulnerability.
- The vulnerability impacts links accessed through search engines, not directly entered URLs.
- This flaw has been a known issue for over two decades, prompting various attempts at mitigation.
“Browsers have deployed various stop-gaps to mitigate these history detection attacks,” Seevers noted. “While the attacks are slowed down by these mitigations, they are not eliminated.”
The resolution represents a significant advancement in web security and underscores the importance of addressing long-standing vulnerabilities, even those seemingly embedded within common features.
