If you’ve ever clicked on a link and noticed that it turns purple afterward, you probably didn’t think much of it. But that small detail in your browser history has just been revealed as the cause of a two-decade-old security flaw that could have exposed your browsing history. Google has finally addressed this vulnerability with a patch in the latest Chrome update.
How the Flaw Worked
In a recent blog post, Google explained that the flaw stemmed from “unpartitioned” browser cookies. These cookies tracked whether or not you had clicked on a link, but because they weren’t properly isolated between websites, visiting one site could inadvertently expose information to an entirely unrelated site. Specifically, if you clicked on a link from Site A that took you to Site B, the visited status would be shared across all websites, including others that had links to Site B.
This flaw, which Google described as a “core design flaw,” allowed malicious websites—dubbed “Site Evil” in Google’s explanation—to track your browsing history by detecting the color of visited links. If “Site Evil” contained a link to Site B, it could identify whether you had visited that site in the past, leaking sensitive browsing information in the process.
The Fix and its Implications
Fortunately, Google has now fixed this issue in the Chrome 136 update, which will be rolled out soon. The update ensures that browsing history related to link visits is stored separately and is not shared between sites. This fix is already available via the Chrome Beta channel.
This vulnerability has been around for quite a while. Security researcher Andrew Clover first demonstrated the flaw in 2002, and Princeton researchers also published a paper, “Timing Attacks on Web Privacy,” that highlighted similar risks. It wasn’t just Chrome that was affected—Apple’s Safari, Opera, Internet Explorer, and Mozilla Firefox also exhibited the same problem, as evidenced by a 2009 research paper.
Author’s Opinion
While Google’s fix is an important step, it highlights a larger issue—how many other longstanding vulnerabilities have gone unnoticed or unchecked in web browsers? With internet privacy becoming increasingly important, companies like Google must prioritize rigorous security audits to prevent similar problems in the future. The fact that a simple design feature like link coloring could expose user data underscores the need for continuous vigilance in web security.
