If you've spent any time online, you've probably noticed that whenever you click on the blue links in Google search results — they'll turn purple. This handy visual cue lets you know if you've previously visited a website page before, which means you won't accidentally keep clicking on the same page.
While this helpful feature might save you some time, it could also put your entire browsing history at risk.
Security researchers unearthed a 20-year-old security flaw in Google Chrome linked to this function. The issue stemmed from what Google refers to as "unpartitioned" browser cookies that tracks the links you've clicked, so the browser knows to display these search results in purple.
While several popular web browsers, including Safari and Firefox, have implemented extra measures to mitigate the risk of any leaks... Chrome is the first to introduce a new system to eliminate the risk
GOOGLE PRESS OFFICE
Google patched the decades-old issue — which it refers to as a "core design flaw" — in recent days.
Cybercriminals could use the simple colour-changing feature to potentially access a complete list of all website links you've clicked on in the past. Since this functionality is common across all web browsers, it's not limited to Google Chrome. Google admits that some browsers have deployed "stop-gaps" to try to limit the risk.
In a blog post about the issue, Software Engineer at Google, Kyra Seevers writes: "These attacks can reveal which links a user has visited and leak details about their web browsing activity. This security problem has plagued the web for over 20 years, and browsers have deployed various stop-gaps to mitigate these history detection attacks. While the attacks are slowed down by these mitigations, they are not eliminated."
It's worth noting the "core design flaw" would only impact links visited via a search engine, so those visited by typing the URL directly in the address bar would not be impacted by the flaw.
Google's Kyra Seevers says the latest fix being deployed by the US company makes Chrome "the first major browser to render these attacks obsolete".
Update to the latest version of Google Chrome to ensure you're protected — for the first time in two decades — against this type of attack. To prevent the issue, Google will now store data on what links you've clicked separately and never share that information across different websites.
Links to websites that have already been clicked appear in purple on Google's search results pages, whereas those you've never visited will be blue
GBN
The first time this flaw gained mainstream attention was when security researcher Andrew Clover posted a proof-of-concept attack back in 2002, citing a paper by Princeton researchers called "Timing Attacks on Web Privacy."
You must be running Google Chrome Version 136 or newer to guarantee that you've got the latest patch sent out by the Californian technology giant.
Your Chrome web browser usually downloads and installs updates automatically — with the first time you hear about the new version when you're prompted to restart the app to apply the latest changes.
However, it is possible to force Google Chrome to manually check for updates — helpful when you know that a critical update like this is slowly being rolled out to billions of devices worldwide.
To get started, open Chrome on your Windows or Mac computer, click the More button represented by three-dots in the top-right corner of the window, then navigate to Help > About Chrome.
If an update is available, Chrome will start downloading it and you'll see a Relaunch button to apply the update. If you can't find the Relaunch button, your Chrome is already up to date.
It's not just Chrome that's impacted by this issue.
According to The Register, a research paper published in 2009 successfully showed how the same bug could cause a security issues in Safari — the web browser developed by Apple and preinstalled on all iPhone, iPad and Mac models.
Apple applies several restrictions and uses its aggressive privacy protections, like Intelligent Tracking Prevention, to limit the risk of these types of leaks, but doesn't use a partition to block all attacks.
Similarly, Mozilla engineers have limited what styles are applied to this feature in its Firefox browser. It also blocks JavaScript from reading the list of URLs that shoud be turned purple to mitigate attacks, but there's no partition to isolate them from sophisticated attacks — like Google has now implemented.
