Google working on blocking Back button hijacking in Chrome
Google engineers are currently working on a Chrome browser update that will block malicious websites from hijacking the browser’s history and, indirectly, the Back button.
The issue at hand is a well-known tactic often seen employed by many shady sites across the Internet. A user would visit a website, then he’d accidentally click or tap on an ad, and be taken to a new page.
But when the user presses the Back button to go back to the previous page, the browser just reloads the same page over and over again, keeping the user trapped on the ad page.
Under the hood, this happens because malicious sites will perform tens of “redirects” toward the same URL, effectively poisoning the browser history with the same link, and rendering the Back button useless.
In another tactic, even if websites don’t hijack the user from his normal web navigation, they secretly insert ad pages inside the browser history list. When the user goes back to a previous page, he lands on an ad page instead, without ever having visited that particular URL.
But, recent source code updates [1, 2, 3] to the Chromium project, the open-source browser engine behind the Chrome browser, reveal that Google engineers are planning to crack down on this type of abusive behavior.
These code updates will allow Chrome to detect when browser history entries have been generated by user interaction, or by an automated method.
During an initial testing phase, Chrome will only mark and report these fake history entries to Chrome engineers, so they can analyze the various ways Chrome’s history is being abused in the wild.
The endgame is to block or skip these “fake history entries” altogether, according to 9to5Google, the Google-centric blog which first spotted these updates.
However, Chrome engineers have told ZDNet that they are treading lightly with this new feature. The reason is that they don’t want the implementation to misfire and flag legitimate browser history entries as “Back button hijacks,” and later remove them from the browser’s history list.
One can easily imagine the public backlash and “censoring” accusations Google would face if this new security feature goes even slightly wrong.
For now, this new feature is at an “under development” phase, but it’s expected to land on the chrome://flags page somewhere in Q1 2019.