Report: This Chrome feature may leak frequently visited sites
Google Chrome and all other Chromium-based web browsers collect site engagement statistics. It measures how "engaged" a user is with a particular site. The score ranges from 0 to 100, with 100 being "super engaged" and 0 not at all.
The browser uses signals to compute the score. Signals may include clicking and scrolling, keypresses, media playback, or direct navigations.
All users of Chromium-based browsers can open the information for their browser profile. Just load chrome://site-engagement/ in the browser's address bar to look at the list.
Google notes that the data is not synced, which means that it is device and profile specific. Site engagement may be used by the browser, e.g., to prioritize tab discarding or allowing/blocking certain invasive features.
The information is copied whenever an Incognito session is opened in the browser, but no information is written back. This information is deleted when the browser is shut down according to the official documentation.
Your browser may leak your frequently visited websites
Site engagement information may leak to visited websites, according to a report on the Fingerprint website, at least in Google Chrome. A demo page is available for Google Chrome.
The researchers use another Chrome feature, Lookalike Warnings, for that. Lookalike Warnings is a security feature that uses heuristics to determine if the user meant to visit a different website. A common example is a typo in the domain name, e.g., gooogle.com instead of google.com.
Lookalike Warnings is designed to warn users if it believes the site may not be the intended target and give them the chance to open the right website. Google Chrome uses a list of 4990 popular domains for that according to Fingerprint.
To find out if a user's engagement with a site is high, websites can try to load "lookalike" domains. Martin Bajanik over at Fingerprint explains: "Any website can initiate navigation by opening a new browser window with the detection website. This action requires user interaction, such as clicking a button; otherwise, the browser will block the popup window. However, a single popup window can be reused to test multiple websites, as the opener can repeatedly redirect the popup window to different locations."
What websites do with the information is up to them. From displaying targeted advertisement to malicious activities, all is possible.
Deleting site engagement
There is no option to disable site engagement in Chromium-based browsers. All collect the data and all provide access to the information to users.
Since there is no way to disable the collection, the next best thing is to delete the data regularly. The Chromium documentation reveals that engagement scores are linked to the browsing history. In other words, when users delete the browsing history, engagement scores are cleared.
Chrome users may load chrome://settings/clearBrowserData in the browser's address bar to open the Clear Browsing Data menu.
To clear the entire browsing history, select "all time" in the time range menu and make sure that browsing history is checked. Note that clearing the browsing history may temporarily interfere with certain browser features.
Restart the web browser and check the site engagement page again. It should list only a demo site and nothing else.
Closing Words
While this won't be used for widespread attacks or tracking, it is interesting nevertheless that something like this is possible. Switching to another Chromium-based browser, or better a non-Chromium-based browser, resolves this particular issue.
Now You: what is your take on this privacy issue?
So many damage control comments. The google chrome fan club is here.
Surprised Iron Heart isn’t in the comments carrying water for Brave again…lol
Brave have the same thing.
brave : / / site-engagement
ps. my previous comment 4575530 was never published though it’s posted earlier than post 4575538 and 4575554, may I know why?
Have noticed in more recent time several posts never pass through despite following posting rules.
“ps. my previous comment 4575530 was never published though it’s posted earlier than post 4575538 and 4575554, may I know why?
Have noticed in more recent time several posts never pass through despite following posting rules.”
Criticism of Google or Brave on this site is highly discouraged.
Go to preferences file and edit it and remove the media and site engagement from it.
Yes, it is added to Preferences file as plain text, it is not rocket science to deal with it without having to clear the whole history.
So why is so ‘leaking’ about this besides being a clickbait headline??
This has existed for years and it is mostly useless information that won’t mean anything, unless you are one of those that think an empty txt might be a ‘privacy risk’, the same people that use a phone and internet 24/7 and pretend privacy exists when you are connected to the web all the time and have accounts everywhere.
Easy way > delete everything on exit. Period. No dramatic nor theatrical life please.
>”Switching to another Chromium-based browser, or better a non-Chromium-based browser, resolves this particular issue.”
>”There is no option to disable site engagement in Chromium-based browsers. All collect the data and all provide access to the information to users.”
These two statements appear to be contradictory Martin. You can’t say both that all chromium-based browsers are affected by the issue AND that switching to a different chromium-based browser resolves the issue.
Or are you saying that only Chrome suffers from the leakage, whereas all of them collect the data? Seems a bit confusing the way it’s written.
It is disabled in ungoogled-chromium.
The site-engagement page exists in Ungoogled Chromium. Well, it does in the Marmaduke version. I haven’t tested mainline Ungoogled Chromium yet.
It is disabled in ungoogled-chromium
Article:
https://www.ghacks.net/2023/10/21/report-this-chrome-feature-may-leak-frequently-visited-sites/
Same problem with Brave Browser.
brave://site-engagement/
Honestly, I don’t worry about any of this, it’s the internet and fretting about privacy issues is futile.
Personally, I think we have gone back to the Internet Explorer days, yes, we have many browsers but most all run off of Chromium. That in itself makes all the browser subject to being targeted.
“it’s the internet and fretting about privacy issues is futile” … Exactly – I had to share a connection in an island with co-workers and used OpenDns to filter. Thousands of secondary connections are established just for browsing a few pages.
I once wrote this feedback to Google: As Confucios once said, there’s 2 ways to hide. High in the mountain or in the midst of the multitude ;)
And we can complement with this Zen saying: The image in the mirror is you but you are not the image.