Chrome’s new deep-linking feature raises privacy concerns

Don Sharpe
by Don Sharpe
Author
Loading Comments
Download PDF

Chrome browser

New Google Chrome 80 allows you to create a link that goes to a particular phrase or word, such as in an article on a web page. However, the feature continues to attract criticism among users who think it can facilitate privacy violations.

Ad

The ability to scroll to a text fragment

Have you ever experienced the frustration of clicking a link to, say, a 2000-word article only to have to search further before spotting the intended block of text? However long it may have been, you had to scroll down to the relevant part of the content because there was no direct link to it.

That is where Chrome’s deep-linking capability comes in. By appending a relevant text snippet to the URL, a web content author can create a link that takes the reader to a specific term instead of the entire web page.

The browser highlights the target phrase on the page that comes up when the user clicks a deep link.

Researcher sounds the alarm over Chrome’s deep-linking capability

Content creators and users will find the deep-linking feature handy in different scenarios, and there is no doubt that Google is coming from a good place with this idea.

But Browser security expert Peter Snyder faults the search engine giant for implementing it in Chrome without addressing the user privacy risks it allegedly poses. Last year, months before the scroll-to-text-fragment feature went live, the researcher had shared a hypothetical scenario in which an attacker could exploit it.

Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with #:~:text=cancer. On certain page layouts, I might be able to tell if the employee has cancer by looking for lower-on-the-page resources being requested.

According to Peter’s thinking, somebody could send a scroll-to-text-fragment link on a mission to search for and retrieve confidential information via a web portal. Google does not seem to think the threat is severe enough, though.

The company has, in the past, announced various measures to protect user privacy and security in Chrome, including reining in on cross-site cookies. It would be reassuring if it also revealed the specific controls (if any) it has in place to prevent ill-intentioned actors from exploiting the deep-linking feature.

There are no reports of a successful deep-link exploit in Chrome so far.