Report: This Chrome feature may leak frequently visited sites

Martin Brinkmann
Oct 21, 2023
Google Chrome
|
13

Google Chrome and all other Chromium-based web browsers collect site engagement statistics. It measures how "engaged" a user is with a particular site. The score ranges from 0 to 100, with 100 being "super engaged" and 0 not at all.

The browser uses signals to compute the score. Signals may include clicking and scrolling, keypresses, media playback, or direct navigations.

All users of Chromium-based browsers can open the information for their browser profile. Just load chrome://site-engagement/ in the browser's address bar to look at the list.

Google notes that the data is not synced, which means that it is device and profile specific. Site engagement may be used by the browser, e.g., to prioritize tab discarding or allowing/blocking certain invasive features.

The information is copied whenever an Incognito session is opened in the browser, but no information is written back. This information is deleted when the browser is shut down according to the official documentation.

Your browser may leak your frequently visited websites

Site engagement information may leak  to visited websites, according to a report on the Fingerprint website, at least in Google Chrome. A demo page is available for Google Chrome.

The researchers use another Chrome feature, Lookalike Warnings, for that. Lookalike Warnings is a security feature that uses heuristics to determine if the user meant to visit a different website. A common example is a typo in the domain name, e.g., gooogle.com instead of google.com.

Lookalike Warnings is designed to warn users if it believes the site may not be the intended target and give them the chance to open the right website. Google Chrome uses a list of 4990 popular domains for that according to Fingerprint.

To find out if a user's engagement with a site is high, websites can try to load "lookalike" domains. Martin Bajanik over at Fingerprint explains: "Any website can initiate navigation by opening a new browser window with the detection website. This action requires user interaction, such as clicking a button; otherwise, the browser will block the popup window. However, a single popup window can be reused to test multiple websites, as the opener can repeatedly redirect the popup window to different locations."

What websites do with the information is up to them. From displaying targeted advertisement to malicious activities, all is possible.

Deleting site engagement

There is no option to disable site engagement in Chromium-based browsers. All collect the data and all provide access to the information to users.

Since there is no way to disable the collection, the next best thing is to delete the data regularly. The Chromium documentation reveals that engagement scores are linked to the browsing history. In other words, when users delete the browsing history, engagement scores are cleared.

Chrome users may load chrome://settings/clearBrowserData in the browser's address bar to open the Clear Browsing Data menu.

To clear the entire browsing history, select "all time" in the time range menu and make sure that browsing history is checked. Note that clearing the browsing history may temporarily interfere with certain browser features.

Restart the web browser and check the site engagement page again. It should list only a demo site and nothing else.

Closing Words

While this won't be used for widespread attacks or tracking, it is interesting nevertheless that something like this is possible. Switching to another Chromium-based browser, or better a non-Chromium-based browser, resolves this particular issue.

Now You: what is your take on this privacy issue?

Summary
Article Name
Report: This Chrome feature may leak frequently visited sites
Description
Google Chrome may leak frequently visited websites to sites on the Internet. Here is what you may do about it.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on October 22, 2023 at 11:25 am
    Reply

    So many damage control comments. The google chrome fan club is here.

    1. Anon said on October 24, 2023 at 1:25 pm
      Reply

      Surprised Iron Heart isn’t in the comments carrying water for Brave again…lol

  2. anonymous said on October 22, 2023 at 3:08 am
    Reply

    Brave have the same thing.
    brave : / / site-engagement

    ps. my previous comment 4575530 was never published though it’s posted earlier than post 4575538 and 4575554, may I know why?
    Have noticed in more recent time several posts never pass through despite following posting rules.

    1. Anonymous said on October 22, 2023 at 7:35 pm
      Reply

      “ps. my previous comment 4575530 was never published though it’s posted earlier than post 4575538 and 4575554, may I know why?
      Have noticed in more recent time several posts never pass through despite following posting rules.”

      Criticism of Google or Brave on this site is highly discouraged.

  3. Anonymous said on October 21, 2023 at 11:37 pm
    Reply

    Go to preferences file and edit it and remove the media and site engagement from it.
    Yes, it is added to Preferences file as plain text, it is not rocket science to deal with it without having to clear the whole history.
    So why is so ‘leaking’ about this besides being a clickbait headline??

    This has existed for years and it is mostly useless information that won’t mean anything, unless you are one of those that think an empty txt might be a ‘privacy risk’, the same people that use a phone and internet 24/7 and pretend privacy exists when you are connected to the web all the time and have accounts everywhere.

  4. Target C said on October 21, 2023 at 11:22 pm
    Reply

    Easy way > delete everything on exit. Period. No dramatic nor theatrical life please.

  5. Andy Prough said on October 21, 2023 at 10:11 pm
    Reply

    >”Switching to another Chromium-based browser, or better a non-Chromium-based browser, resolves this particular issue.”

    >”There is no option to disable site engagement in Chromium-based browsers. All collect the data and all provide access to the information to users.”

    These two statements appear to be contradictory Martin. You can’t say both that all chromium-based browsers are affected by the issue AND that switching to a different chromium-based browser resolves the issue.

    Or are you saying that only Chrome suffers from the leakage, whereas all of them collect the data? Seems a bit confusing the way it’s written.

  6. Dave Rader said on October 21, 2023 at 7:25 pm
    Reply

    It is disabled in ungoogled-chromium.

    1. Ray said on October 23, 2023 at 12:14 am
      Reply

      The site-engagement page exists in Ungoogled Chromium. Well, it does in the Marmaduke version. I haven’t tested mainline Ungoogled Chromium yet.

  7. Dan Carson said on October 21, 2023 at 2:16 pm
    Reply

    It is disabled in ungoogled-chromium

  8. Anonymous said on October 21, 2023 at 2:05 pm
    Reply

    Article:
    https://www.ghacks.net/2023/10/21/report-this-chrome-feature-may-leak-frequently-visited-sites/

    Same problem with Brave Browser.

    brave://site-engagement/

  9. John said on October 21, 2023 at 1:19 pm
    Reply

    Honestly, I don’t worry about any of this, it’s the internet and fretting about privacy issues is futile.
    Personally, I think we have gone back to the Internet Explorer days, yes, we have many browsers but most all run off of Chromium. That in itself makes all the browser subject to being targeted.

    1. gtz said on October 21, 2023 at 2:55 pm
      Reply

      “it’s the internet and fretting about privacy issues is futile” … Exactly – I had to share a connection in an island with co-workers and used OpenDns to filter. Thousands of secondary connections are established just for browsing a few pages.
      I once wrote this feedback to Google: As Confucios once said, there’s 2 ways to hide. High in the mountain or in the midst of the multitude ;)
      And we can complement with this Zen saying: The image in the mirror is you but you are not the image.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.