Google has patched a long-standing security issue in its Chrome browser that may have exposed users’ browsing histories for over two decades. The vulnerability, linked to how web browsers display visited links, has existed since the early days of the modern internet and was only recently addressed in the latest Chrome update.
The issue centers around the way browsers mark links as “visited”—typically by changing their color from blue to purple. This visual cue also revealed more than it should have. According to Google, visited link data was stored in an “unpartitioned” way, meaning any site could potentially detect whether a user had previously clicked on specific URLs—even if they originated from unrelated domains.
In a recent blog post, Google detailed how a malicious website could exploit this design. For example, if a user clicked on a link from Site A to Site B, and later visited a third-party site—dubbed “Site Evil”—that also contained a link to Site B, the styling of the link could reveal that the user had already visited Site B. This created a privacy loophole that websites could use to infer browsing activity without permission.
Google has labeled this a “core design flaw” and has now implemented a fix that isolates visited link data so it cannot be accessed across domains. The update is included in Chrome version 136 and is currently available in the browser’s beta channel. The change prevents visited link data from being shared across websites, tightening user privacy protections moving forward.
This browser vulnerability isn’t unique to Chrome. Similar behavior has been observed in other browsers over the years, including Safari, Firefox, Opera, and Internet Explorer. The privacy risk was first demonstrated in 2002 by security researcher Andrew Clover, who referenced earlier academic work on how timing attacks could expose user data based on link styling.
Despite its age, the flaw continued to be exploitable due to the foundational nature of visited link tracking in web browsers. A 2009 research paper further confirmed its presence in multiple platforms, raising questions about how long such a basic design feature went unchecked in terms of privacy.
With the Chrome fix now rolling out, users are encouraged to keep their browsers up to date to ensure improved protection against history-tracking techniques.
