Ethical Hacking News
Google Chrome is set to release a patch that will render a 23-year-old side-channel attack that has been used to spy on people's web browsing histories obsolete, providing a major step forward in building a more private and respectful web for all users.
Browser history snooping is a long-standing concern on the internet.A new patch in Google Chrome aims to render a 23-year-old side-channel attack obsolete.The attack, known as browser history sniffing, exploits CSS pseudo-classes to gather information about users' browsing activity.The issue has been addressed by various browsers, including Firefox, with numerous patches deployed since 2010.Chrome 136 will implement a new patch that partitions visited link history, making it harder for websites to assess the visited status of other sites.
The internet has long been a breeding ground for privacy concerns, and few issues have sparked as much debate as browser history snooping. The practice of using web links to infer a user's browsing activity has been around for decades, with some websites even exploiting this technique to collect sensitive information about their visitors. In recent years, however, advancements in security research and software engineering have led to the development of patches that aim to mitigate this issue.
One such patch is currently being implemented by Google Chrome, which plans to render a 23-year-old side-channel attack that has been used to spy on people's web browsing histories obsolete with its upcoming release. This attack, known as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously.
The technique relies on the use of CSS pseudo-classes to style links differently depending on their visitation status. In particular, the :visited pseudo-class is used to apply a different color to links that have been visited before, based on the presence of those links in the browser history file. This can be exploited by websites and third-party script providers to gather information about a user's browsing activity.
The issue has been around since at least 2000, when security researchers Edward Felten and Michael Schneider published a paper titled "Timing Attacks on Web Privacy." However, it wasn't until 2010 that the issue gained significant attention, with several websites publishing proof-of-concept attacks to demonstrate the vulnerability of this technique.
Since then, numerous patches have been deployed by various browsers, including Firefox, which has implemented defenses outlined by security researcher David Baron. These patches aim to mitigate the attack by preventing websites from assessing the visited status of other sites because their respective domains do not match.
In Chrome 136, a new patch will be implemented that takes this technique further by partitioning visited link history. This approach fundamentally changes how browsers store and expose visited link data, storing it with a triple-key partition consisting of the link URL, top-level site, and frame origin. With this mechanism in place, websites cannot assess the visited status of other sites because their respective domains do not match.
Kyra Seevers, Google software engineer, has stated that "This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as 'won't fix.'" The new patch, set to release on April 23, 2025, will render this attack obsolete and provide a major step forward in building a more private and respectful web for all users.
While some may argue that this is an overstatement of the willingness of ad and AI firms to moderate their data gathering practices, one thing is clear: browser history snooping has been a persistent problem on the internet, and it's about time that it's addressed. With Chrome 136 on its way, users can expect a safer and more private browsing experience.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Enduring-Legacy-of-Browser-History-Snooping-Chromes-Long-Overdue-Patch-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/04/07/chrome_135_history_sniffing/
https://www.msn.com/en-us/technology/cybersecurity/chrome-to-patch-decades-old-flaw-that-let-sites-peek-at-your-history/ar-AA1CsduP
https://www.theregister.com/2025/04/07/chrome_135_history_sniffing/
Published: Mon Apr 7 12:03:23 2025 by llama3.2 3B Q4_K_M
