Cyber Security News

Google to Patch 23-Year-Old Chrome Bug That Leaked Browsing History

Google has announced a groundbreaking update to its Chrome browser that addresses a vulnerability in the web browser’s code, which has been leaking users’ browsing history for over two decades.

This long-standing issue stems from the CSS :visited selector—a web design feature that allows websites to stylize previously visited links.

While originally designed to improve user experience, it has inadvertently exposed users to privacy risks. The patch, to be implemented in Chrome 136, makes Google the first major browser developer to resolve this problem comprehensively.

A 23-Year-Old Threat

Since the early days of the internet, the CSS :visited selector has been an essential tool for web developers, allowing users to distinguish visited links from unvisited ones.

However, over time, security researchers discovered that malicious actors could exploit this feature to deduce users’ browsing history.

By crafting specific attacks, bad actors could determine whether a user had visited particular sites by observing how links were styled as :visited.

Before partitioning, when you clicked a link:Before partitioning, when you clicked a link:
Before partitioning, when you clicked a link:
It would show as :visited on every site displaying that link!It would show as :visited on every site displaying that link!
It would show as :visited on every site displaying that link!

This problem was exacerbated by the fact that, historically, :visited history was unpartitioned.

This meant that if a user visited a website (let’s call it “Site A”) and clicked a link to “Site B,” any other website with the same link to “Site B” (e.g., “Site Evil”) could infer that the user had visited Site B.

This posed serious privacy concerns, as malicious sites could exploit this design flaw to harvest sensitive browsing activity.

Partitioning Visited Link History

With Chrome 136, Google is introducing a new approach called “visited link partitioning,” which renders these attacks obsolete.

Partitioning ensures that a user’s :visited history is no longer a global list accessible across websites. Instead, the visited history will be tied to the specific context in which a link was clicked—namely, the combination of the link’s URL, the top-level site, and the frame origin.

After partitioning, when you click a link:
It is only displayed as :visited where you have clicked on it before!

In practice, this means that a link styled as :visited on one site will no longer appear as visited on another site unless the two share a specific browsing context.

For example, if you click a link to Site B while on Site A, this action will only be recorded in the context of Site A.

Should a malicious website like Site Evil attempt to check your visited links, it will find no evidence of your prior browsing activity, thus safeguarding your privacy.

To preserve user experience, the update includes an exception for self-links. This means that subpages on the same site can still appear as :visited even if they were accessed through a different context.

For example, visiting multiple pages on a wiki site will still display those links as visited, enhancing usability while maintaining privacy protections for cross-site activity.

links to other pages on the same site

Google’s implementation of partitioned :visited history in Chrome 136 marks a major milestone in web security. By tackling a problem that has lingered for 23 years, Chrome is establishing itself as a leader in privacy innovation.

This update is expected to set a new standard for browser security across the industry and offers Chrome users peace of mind when navigating the web.

As privacy concerns grow in the digital age, this improvement reflects Google’s commitment to protecting its users while maintaining a seamless browsing experience. Chrome users can look forward to this essential update when Chrome 136 rolls out.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago