(Credit: Thomas Trutschel/Photothek via Getty Images)
If you’ve spent a decent amount of time on the web, you’ve probably noticed that blue links turn purple after you click on them. But you probably didn't realize that this small detail facilitated a two-decades-old security flaw that could have revealed sensitive details about your browsing history, and which Google has only just patched.
Explaining the flaw in a recent blog, Google said the browser cookies indicating whether or not you click on a link were what it called “unpartitioned.” This meant that if you clicked a link, it would show as visited on every website displaying that link, even if it was completely unrelated.
Google called this a “core design flaw,” as it potentially leaked information about users' online activity. “You are browsing on Site A and click a link to go to Site B,” explained Google. “In this scenario, Site B would be added to your visited history. Later, you might visit Site Evil, which creates a link to Site B as well."
Google highlighted that "Site Evil" could then use this security exploit to learn whether the link was styled as visited, finding out that you've visited Site B in the past—leaking information about your browsing history in the process.
The search giant has now corrected the flaw in the latest Chrome update and will store data on what links you click separately, without sharing the info across different websites. The update is set to roll out in the Chrome 136 update and is already available via the Chrome Beta channel.
The flaw is older than many Google employees. Security researcher Andrew Clover posted a proof-of-concept attack based on the flaw in 2002, citing a paper by Princeton researchers called "Timing Attacks on Web Privacy."
It's not just Google Chrome that was impacted by the problem. A 2009 research paper demonstrated how the bug caused potential security issues in Apple's Safari, Opera, Internet Explorer, and Mozilla Firefox, The Register reports.