- Google has patched a 23-year-old Chrome flaw that allowed websites to detect users’ browsing history through visited link styling.
- The issue stemmed from unpartitioned browser cookies that shared clicked link data across unrelated sites.
- Chrome 136 introduces a fix by isolating visited link data per site, now available in the Beta channel.
Google has fixed a long-standing vulnerability in its Chrome browser that could have allowed malicious websites to snoop on users’ browsing history. The flaw, which dates back over two decades, involved how the browser tracked whether users had clicked on links — a basic feature that changes link colors from blue to purple once visited.
The issue stemmed from how Chrome managed this data using browser cookies. For years, the browser stored information about clicked links in a way that was not isolated between websites. As a result, any website could potentially detect if a user had visited a specific URL, even if it had nothing to do with the current page being viewed.
This flaw opened the door for privacy violations. A malicious website could embed links to other sites and check their styling to determine if a user had visited them. By doing so, the site could silently piece together aspects of the user’s browsing history — a serious concern in an era where data privacy is paramount.
Google classified this vulnerability as a “core design flaw” and acknowledged that it had existed since the early days of the browser. The issue has now been resolved by storing visited link data separately for each website, preventing cross-site detection.
The fix is included in Chrome version 136, currently available through the Chrome Beta channel. Once the update rolls out more widely, users will be better protected from potential history-sniffing attacks that have lurked quietly in the background for years.
