Google patched a Chrome flaw that's been tracking you since forever
Pretty much every platform or service has some sort of security vulnerability and Chrome is no exception. Not long ago, Google tackled some high-severity issues that could have led to unauthorized access to sensitive data in its browser and now, it is addressing another one.
Google patched a major vulnerability in its browser – one that has actually been around since day one and could've been used to snoop on your browsing habits.
If you've ever noticed how clicked links turn purple instead of staying blue, that tiny visual cue is at the heart of the issue. What seems like a simple feature actually opened the door to a two-decade-old privacy flaw that could quietly expose parts of your web history.
In a recent blog post, Google broke down how it worked: websites could style links using the :visited selector to show different colors if you had already clicked them, regardless of where you clicked them before. That meant other sites could run sneaky scripts to check which links were purple – and essentially peek at where you've been online.
It is not just about privacy, either. Google called it a "core design flaw" because it introduced real security risks like tracking, profiling, and even phishing. While the fix may have taken a while, it's finally here – and long overdue.
Chrome's upcoming update introduces triple-key partitioning, which means Chrome will no longer track visited links globally. Instead, it will now consider three things before marking a link as visited: the link's actual URL, the top-level site you are on (what shows in the address bar), and the frame origin where the link appears.
What this change does is make sure a link only shows up as visited if you have clicked on it before on that same site and in that same frame. In other words, no more sneaky cross-site tracking based on your browsing history.
So, with Chrome version 136 just around the corner, Google is finally putting an end to a 20-year-old privacy headache by overhauling how it handles visited links. This fix is set to go live in late April.
Google patched a major vulnerability in its browser – one that has actually been around since day one and could've been used to snoop on your browsing habits.
In a recent blog post, Google broke down how it worked: websites could style links using the :visited selector to show different colors if you had already clicked them, regardless of where you clicked them before. That meant other sites could run sneaky scripts to check which links were purple – and essentially peek at where you've been online.
Before partitioning, when you clicked a link it would show as :visited on every site displaying that link. | Image credit – Google
You are browsing on Site A and click a link to go to Site B. In this scenario, Site B would be added to your :visited history. Later, you might visit Site Evil, which creates a link to Site B as well. Without partitioning, Site Evil would display that link to Site B as :visited—even though you hadn't clicked the link on Site Evil. Then, Site Evil could use a security exploit to learn whether the link was styled as :visited, therefore learning that you've visited Site B in the past—leaking information about your browsing history.
– Google, April 2025
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: