Vulnerabilities in Google Chrome Expose Frequently Visited Websites
Vulnerabilities in Google Chrome Expose Frequently Visited Websites
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Vulnerabilities in Google Chrome Expose Frequently Visited Websites
New on October 21st, according to the latest security report from Fingerprint, including the Google Chrome browser, all Chromium-based browsers are susceptible to vulnerabilities that can expose the websites you frequently visit.
The primary issue stems from “Site Engagement.” Users can open their browser, type “chrome://site-engagement” in the address bar, and upon accessing it, they can view a list of their most frequently visited websites.
To exploit this and steal information about a user’s frequently visited websites, another feature, “Lookalike Warnings,” needs to be utilized. Notably, this feature was introduced by default in Chrome version 75 and is designed to identify similar URL addresses, thus preventing users from accessing phishing websites.
Fingerprint has currently embedded a list of mainstream domains within Chromium, including 489 “top bucket” sites, totaling 4,990 domains.
Lookalike Warnings come in two types of alerts: highly suspicious sites trigger full-screen warnings, while less suspicious ones produce pop-up windows.
By exploiting Lookalike Warnings, websites can reveal the websites that Chromium browser users visit most often. For example, a user visiting “app.slack.com.detection.site” will only display a highly suspicious warning if they have interacted with “app.slack.com.”
Any website can gauge a user’s engagement with specific sites by observing how the warning pop-ups open, and the “opener” can repeatedly redirect pop-ups to different addresses, thereby repeatedly confirming the high engagement of certain websites by the user.
The company has also launched a demo website where users of any Chromium-based browser can test this vulnerability.
At present, users cannot disable the “Site Engagement” feature, so the current workaround is to regularly clear the data. Users can accomplish this by loading “chrome://settings/clearBrowserData” in the browser’s address bar.
