Google Chrome Fixes 20-Year-Old Flaw That Could Leak Your Browser History

Last updated: 2025/04/13 at 1:17 PM

News Room Published 13 April 2025

If you’ve spent a decent amount of time on the web, you’ve probably noticed that links change color after you click on them. But you probably didn’t realize that this small detail led to a two-decades-old security flaw that could have revealed sensitive details about your browsing history, and which Google has only just patched.

Explaining the flaw in a recent blog, Google said the browser cookies indicating whether or not you click on a link were what it called “unpartitioned.” This meant that if you had clicked a link, it would show as visited on every website displaying that link, even if it was completely unrelated.

Google called this a “core design flaw” as it potentially leaked information about users’ online activity.

“You are browsing on Site A and click a link to go to Site B,” explained Google. “In this scenario, Site B would be added to your visited history. Later, you might visit Site Evil, which creates a link to Site B as well.”

Google highlighted that “Site Evil” could then use this security exploit to learn whether the link was styled as visited, finding out that you’ve visited Site B in the past—leaking information about your browsing history in the process.

The search giant has now corrected the flaw in the latest Chrome update and will store data on what links you click separately, without sharing the info across different websites. The update is set to roll out in the Chrome 136 update and is already available via the Chrome Beta channel.

Recommended by Our Editors

It’s not just Google Chrome that was impacted by the problem. A 2009 research paper demonstrated how the bug caused potential security issues in Apple’s Safari, Opera, Internet Explorer, and Mozilla Firefox, noted The Register, one of the first places to cover the update.

The flaw is older than many Google employees. Security researcher Andrew Clover posted a proof-of-concept attack based on the flaw in 2002, citing a paper by Princeton researchers called “Timing Attacks on Web Privacy.”

Get Our Best Stories!

Newsletter Icon

Your Daily Dose of Our Top Tech News

Sign up for our What’s New Now newsletter to receive the latest news, best new products, and expert advice from the editors of PCMag.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio