privacy
In April, the release of version 136 of Google Chrome finally addressed a privacy issue for the browser that’s been widely known about since 2002 (which issue, btw, is also present in all other major browsers). This was real bad news for unscrupulous marketers, who’d been exploiting it wholesale for 15 years. From this menacing description, you might be surprised to learn that the threat is a familiar and seemingly harmless convenience: links that your browser highlights a different color after you visit them.
From a blue sky to purple rain
Changing the color of links to visited sites (by default from blue to purple) was first introduced 32 years ago in the NCSA Mosaic browser. After that, this user-friendly practice was adopted by almost all browsers in the 1990s. And it later became the standard for Cascading Style Sheets (CSS) — a language for adding stylization to web pages. Such recoloring occurs by default in all popular browsers today.
However, as early as in 2002, researchers noticed that this feature could be abused by placing hundreds or thousands of invisible links on a page and using JavaScript to detect which of them the browser renders as visited. In this way, a rogue site could partially uncover a user’s browsing history.
In 2010, researchers discovered that this technique was being used in the wild by some major sites to snoop on visitors — among which were YouPorn, TwinCities, and 480 other sites then popular. It was also found that platforms like Tealium and Beencounter were offering history-sniffing services, while the advertising firm Interclick was implementing this technology for analytics, and even faced legal action. Although it won the lawsuit, the major browsers have since modified their code for processing links to make it impossible to read whether a link was visited or not.
However, advances in web technologies created new workarounds for snooping on browsing history. A 2018 study described four new ways to check the state of links — two of which affected all tested browsers except the Tor Browser. One of the vulnerabilities — CVE-2018-6137 — made it possible to check visited sites at up to 3000 links per second. Meanwhile new, increasingly sophisticated attacks to extract browsing history continue to appear.
Why history theft is dangerous
Exposing your browsing history, even partially, poses several threats to users.
Not-so-private life. Knowing what sites you visit (especially if it relates to medical treatment, political parties, dating/gambling/porn sites, and similar sensitive topics), attackers can weaponize this information against you. They can then tailor a scam or bait to your individual case — be it extortion, a fake charity, the promise of new medication, or something else.
Targeted checks. A history-sniffing site could, for example, run through all the websites of the major banks to determine which one you use. Such information can be of use to both cybercriminals (say, for creating a fake payment form to fool you) and legitimate companies (say, for seeing which competitors you’ve looked at).
Profiling and deanonymization. We’ve written many times about how advertising and analytics companies use cookies and fingerprinting to track user movements and clicks across the web. Your browsing history serves as an effective fingerprint, especially when combined with other tracking technologies. If an analytics firm’s site can see what other sites you visited and when, it essentially functions as a super-cookie.
Guarding against browser history theft
Basic protection appeared in 2010 almost simultaneously in the Gecko (Firefox) and WebKit (Chrome and Safari) browser engines. This guarded against using basic code to read the state of links.
Around the same time, Firefox 3.5 introduced the option to completely disable the recoloring of visited links. In the Firefox-based Tor Browser, this option is enabled by default — but the option to save browsing history is disabled. This provides a robust defense against the whole class of attacks but sorely impacts convenience.
Unless you sacrifice an element of comfort, however, sophisticated attacks will still be able to sniff your browsing history.
Attempts are underway at Google to significantly change the status quo: starting with version 136, Chrome will have visited link partitioning enabled by default. In brief, it works like this: links are only recolored if they were clicked from the current site; and when attempting a check, a site can only “see” clicks originating from itself.
The database of website visits (and clicked links) is maintained separately for each domain. For example, suppose bank.com embeds a widget showing information from banksupport.com, and this widget contains a link to centralbank.com. If you click the centralbank.com link, it will be marked as visited — but only within the banksupport.com widget displayed on bank.com. If the exact same banksupport.com widget appears on some other site, the centralbank.com link will appear as unvisited. Chrome’s developers are so confident that partitioning is the long-awaited silver bullet that they’re nurturing tentative plans to switch off the 2010 mitigations.
What about users?
If you don’t use Chrome, which, incidentally has plenty of other privacy issues, you can take a few simple precautions to ward off the purple menace.
- Update your browser regularly to stay protected against newly discovered vulnerabilities.
- Use incognito or private browsing if you don’t want others to know what sites you visit. But read this post first — because private modes are no cure-all.
- Periodically clear cookies and browsing history in your browser.
- Disable the recoloring of visited links in the settings.
- Use tools to block trackers and spyware, such as Private Browsing in Kaspersky Premium, or a specialized browser extension.
To find out how else browsers can snoop on you, check these blogposts out:
Tips