Chrome History Leak Bug Lets Malicious Sites Track Your Browsing — Update to Latest Version Now - CyberTimes

Severity🟢 LOW

CVSS Score4.3/10

ExploitedNo

Fix StatusPatch available

Only if you're using Chrome version 120 or older

Google has patched a privacy vulnerability in Chrome that could allow malicious websites to detect which other websites you've visited. While this isn't as severe as a data breach or malware infection, it's a privacy concern that could be used for targeted advertising, tracking, or even social engineering attacks. If you're running an older version of Chrome, here's what you need to know.

Affected products

·Google Chrome 120
·Google Chrome 119

How to Fix

Step-by-step remediation

Updating Chrome takes less than a minute:

1Open Chrome

Launch Google Chrome on your computer.

2Access the Menu

Click the three vertical dots (⋮) in the top-right corner of the browser window.

3Go to Help

Hover over 'Help' in the dropdown menu.

4Click 'About Google Chrome'

This opens a new tab showing your Chrome version.

5Wait for the Update

Chrome will automatically check for updates and download them. You'll see 'Checking for updates...' followed by 'Updating...' if an update is available.

6Relaunch Chrome

Once the update is downloaded, click 'Relaunch' to restart Chrome with the new version.

7Verify the Update

After relaunching, go back to Help > About Google Chrome. You should see 'Chrome is up to date' and a version number of 121 or higher.

What happened

This vulnerability is known as a 'history sniffing' bug. Here's how it works in simple terms:

When you visit websites, your browser keeps a record of where you've been. Normally, websites shouldn't be able to see this history - it's private to you. However, this bug allowed cleverly designed websites to figure out which sites you've visited by analyzing subtle differences in how your browser displays links.

Imagine you're reading a newspaper, but the ink color slightly changes based on articles you've read before. Someone watching could figure out your reading habits just by observing these subtle changes. That's essentially what this bug allowed websites to do with your browsing history.

This type of attack has been around for years, but browsers keep finding and fixing new variations. This particular bug affected Chrome versions 120 and earlier.

Real-World Impact

While this vulnerability isn't being actively exploited in major attacks, history sniffing can be used for:

- Targeted advertising - Knowing you visited competitor sites or specific product pages

- Profiling - Building a picture of your interests, political views, or health concerns

- Phishing - Crafting more convincing scams based on services you actually use

- Price discrimination - Showing different prices based on sites you've visited

For example, if a malicious site detected you'd visited banking websites, they might show you a fake 'security alert' designed to look like your bank's actual website.

Technical Details

CVE-2024-12347 is a CSS-based timing side-channel vulnerability in Chrome's rendering engine. By measuring the time it takes to render visited vs. unvisited link styles, malicious JavaScript could infer browsing history. The fix implements stricter same-origin policies for :visited pseudo-class styling and adds timing noise to prevent accurate measurements.

"Privacy vulnerabilities like this remind us that security isn't just about preventing hackers from stealing data - it's also about protecting the small details of our digital lives that can be pieced together to form a complete picture. - Electronic Frontier Foundation"

🛡️ Prevention Tips

To keep Chrome secure and private:

1Enable automatic updates - Chrome usually updates automatically, but check Settings > About Chrome periodically
2Restart Chrome regularly - Updates only apply after restarting the browser
3Use private browsing for sensitive sites - Press Ctrl+Shift+N (or Cmd+Shift+N on Mac) for Incognito mode
4Consider privacy extensions - Tools like uBlock Origin can block many tracking scripts
5Clear browsing history periodically - Settings > Privacy and Security > Clear browsing data
6Review your privacy settings - Settings > Privacy and Security lets you control what Chrome tracks

FAQs

How do I check my current Chrome version?

Click the three dots menu > Help > About Google Chrome. Your version number will be displayed. If it's 121 or higher, you're protected against this specific vulnerability.

Does this affect Chrome on my phone?

This vulnerability primarily affected desktop Chrome. Mobile Chrome has slightly different code, but it's still good practice to keep all your browsers updated.

I use a different browser - am I safe?

This specific bug only affected Chrome. However, similar history sniffing vulnerabilities have been found in other browsers over the years. Keep all your browsers updated regardless of which one you use.

Can websites see my passwords or personal data?

No. This bug only allowed detection of which websites you've visited, not any login credentials, form data, or page content. Your passwords and personal information remained secure.

← Back to all threats About CyberTimes

Chrome History Leak Bug Lets Malicious Sites Track Your Browsing — Update to Latest Version Now

Affected products

Step-by-step remediation

Real-World Impact

Technical Details

🛡️ Prevention Tips

Google Patches Two Chrome Zero-Days Actively Exploited in the Wild — Skia and V8 Engine Both Affected

"Glic Jack" — Chrome Vulnerability Let Malicious Extensions Hijack Gemini Panel and Access Your Camera, Files, and Mic

Google's 24-Hour Android Sideloading Wait: What It Means for You and Why It Exists

CVE-2026-28950: Apple Patches iOS Flaw That Let FBI Extract Deleted Signal Messages From Push Notification Database

North Korea's UNC1069 Backdoored Axios npm Package — 183 Million Weekly Downloads Exposed to WAVESHAPER.V2 Backdoor