Google has addressed a long-standing vulnerability in the Chrome web browser that could expose users’ browsing history. This issue, which dated back to the early 2000s, stemmed from the way browsers handle the display of visited links using cascading style sheets and the :visited selector.
To show which links users had already visited (typically marked in purple), browsers tracked this activity. However, as Google explained, the core problem was that the data on visited links was stored without isolating privacy between websites. As a result, any site could potentially determine whether a specific link had already been visited, even if the link appeared on an entirely different domain.
For example, Google described a scenario where a user browses site A and clicks on a link to site B. Later, when the user visits a different site—possibly a malicious one—called site C, that site could detect whether the user had been to site B simply by analyzing the color of the link.
Google identified this as a fundamental design flaw and highlighted its potential use for tracking users’ online activity. The vulnerability was not limited to Chrome alone but also affected other major browsers such as Safari, Opera, Internet Explorer, and Firefox, according to PCMag.
Fix Included in Chrome Beta, More to Come
The issue was first brought to light in 2002 by security researcher Andrew Clover, who illustrated how the flaw could be exploited, referencing Princeton University’s paper, “Timing Attacks on Web Privacy.” His demonstration laid out the steps for an attack that relied on timing and styling of visited links.
Google has now implemented a fix in the beta version of Chrome 136, adds NIXsolutions. The new approach ensures that visited link information is stored separately for each website and not shared across different sites. This marks a significant improvement in protecting user privacy during web navigation.
While the issue had persisted for over two decades, this fix brings Chrome in line with stronger privacy practices. Other browsers may follow suit, and we’ll keep you updated as more integrations and improvements become available.