Days after Google rolled out the latest version of its web browser, Google Chrome, a researcher based in California, United States, has raised concerns over a feature that allegedly leads to potential privacy threats. The researcher who works at Brave web browser, a US-based web browsing company, claims that the latest update to Chrome — Google Chrome 80 — that was rolled out on February 4, leads to privacy risks that "Google did not address before making it live".
According to an online report, the feature, Scroll To Text Fragment, that was developed by the company early in 2019, allowed developers to share a specific word/phrase of a web page rather than the entire link. With this, the shared link will allow the other reader to jump to the specific section of a web page which the developer wants to emphasise.
However, in doing so, there is a risk of exposing additional user data to service providers and others, which could become a problem with sensitive data, such as medical information, for example.
To use this feature, GitHub, a Microsoft subsidiary, stated that the user would need to create a special URL using this: https://example.com#:~:text=prefix-,startText,endText,-suffix
The website also noted that Scroll To Text Fragment is useful for "arbitrary pages across the web". To understand the working of this feature, a Twitter user illustrates through a video here:
Text fragments will soon be available in Chromium land. You can then use `#:~:text=` to highlight certain text. ????— Stefan Judis (@stefanjudis) February 5, 2020
???? Chrome status: https://t.co/e60xiQoQoT
???? Spec: https://t.co/t02TFfGO2X#devsheets
Video alt: Usage of text fragments to highlight text on wikipedia pic.twitter.com/W5tUYZk8NY
In a series of online posts, Peter Snyder, Senior researcher at Brave web browser, claimed that Scroll To Text Fragment feature is an "important feature" however, "seems to enable some privacy attacks, by exposing new types of information to new types of observers".
"For example: Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with #:~:text=cancer. On certain page layouts, i might be able tell if the employee has cancer by looking for lower-on-the-page resources being requested", Snyder said adding, "by enabling this feature by default for all sites rather than allowing sites to opt into the feature, it automatically imposes this potential privacy risk on all sites".
In a similar post, David Baron, a Principal Engineer at Mozilla Firefox, warned against the development of ScrollToTextFragment. In an online post, Baron wrote:
"My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems. So I think the question we should think about is how the problems of the solution chosen here compare to the problems of other options and how they compare to the value of the feature".
According to the online report, Google is addressing this issue in its next version of Google Chrome - Chrome 82. Overall, Chrome 80 that was launched earlier this month, hosts cross-site tracking, that can prevent security issues caused by cookie vulnerabilities.