Google Fixes 23-Year-Old Security Hole

Google says it has fixed one of the oldest security and privacy issues affecting Internet users. Chrome will soon make it impossible for sites to exploit the way links change color after you visit them.

While different sites can override the defaults, most web browsers will display links in blue. However, if you've previously visited a site by clicking on a link, browsers will often show it in a different color (purple, for example). The idea is to make it easier to avoid going back to a site that wasn't helpful, or to quickly find a site you've previously accessed when you're using a search engine.

However, dating back all the way to 2002, security experts have warned there's a potential privacy issue. The link colors change because your browser keeps a list of sites you have visited. Whether the link shows up in the different color depends on whether you have visited the linked site before, not what site the link appears on. (Source: theregister.com)

Rogue Sites Play Detective

Google gives the example "You are browsing on Site A and click a link to go to Site B. In this scenario, Site B would be added to your 'visited' history. Later, you might visit Site Evil, which creates a link to Site B as well. Without partitioning, Site Evil would display that link to Site B as 'visited' even though you hadn't clicked the link on Site Evil." (Source: chrome.com)

In theory, it's your browser doing the work and deciding what color to show the link. In reality, security gaps mean that although the list of sites you've visited is completely secured, a site showing a link can tell whether your browser is displaying it as a previously visited site - effectively introducing a vulnerability which could lead to some unwanted results. For example, a rogue site could put a link to a debt advice service, probe your browser to see if it's already been visited, then bombard the user with ads for shady loans companies.

Extra Secrecy

While different browser developers and security researchers have explored the problem for many years, it's never been a top priority. Now Google has finally developed a fix.

In simple terms, it involves not only storing the address of a visited site but also the site (or sites) you were on previously when you initially clicked the relevant link. If you go to another site with a link to the same destination, it will show up in the "visited" color, but this won't be revealed to the site you are currently on.

What's Your Opinion?

Had you even noticed links change color? Had you ever realized this could be a privacy issue? Does Google's solution make sense?