Chrome newest feature might pose a risk to your privacy and security

Google Chrome’s seamless updates have long been a big part of its appeal. But perhaps not anymore. With the latest version of Chrome already installed on hundreds of millions of computers and smartphones around the world, a significant warning has been issued that you might not like what it has running inside. 

Chrome 80 (check your version by going to Settings > About Chrome) contains a new browser capability called ScrollToTextFragment. This is deep linking technology tied to website text, but multiple sources have revealed it is a potentially invasive privacy nightmare. 

While Google is currently under pressure for new privacy concerns within Chrome 80, the company has now issued its own warning about Microsoft's new Chromium-based Edge browser. Google warns that, while technically compatible, installing Chrome extensions on Edge causes security vulnerabilities. To stress this point, Google is issuing a popup to every Edge user who visits the Chrome web store stating that it "recommends switching to Chrome to use extensions securely." To date there have been no reports of security compromises using Edge with Chrome extensions, including from Microsoft itself. So whether there is a genuine risk or this is a scare tactic from Google as it ties to protect its market position from Microsoft’s ambitious new browser, remains to be seen. Either way, you should stay alert.

To understand why requires a brief guide to how ScrollToTextFragment works. The simple version is it allows Google to index websites and share links down to a single word of text and its position on the page. It does this by creating its own anchors to text (using the format: #:~:text=[prefix-,]textStart[,textEnd][,-suffix]) and it doesn’t require the permission of the web page author to do so. Google gives the harmless example: 

“[https://en.wikipedia.org/wiki/Cat#:~:text=On islands, birds can contribute as much as 60% of a cat's diet] This loads the page for Cat, highlights the specified text, and scrolls directly to it.”

The deep linking freedom of ScrollToTextFragment can be very useful for sharing very specific links to parts of webpages. The problem is it can also be exploited. Warning about the development of ScrollToTextFragment

Consider a situation where I can view DNS traffic (e.g. company network), and a hacker sent a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.” 

The ScrollToTextFragment is now active inside Chrome 80 stating that "Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a 'don't break the web’, never-cross, redline. This spec does that."

David Baron, a principal engineer at Mozilla, maker of Firefox, also warned against the development of ScrollToTextFragment, saying: "My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.” 

Defending the decision, Google’s engineers have issued a document outlining the pros/cons of the deep linking technology in ScrollToTextFragment and Chromium engineer David Bokan wrote this week that “We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity so we're proceeding with allowing this without requiring opt-in.” 

Bokan says the company will work on an opt-out option, but how many will even know ScrollToTextFragment exists? And here lies the nub of it: Google has such power it can be judge and jury to decide what is or isn’t acceptable. So ScrollToTextFragment, with its unresolved privacy concerns and lack of support from other browser makers, is now out there, running in the background of hundreds of millions of Chrome installations. 

Whether you want to be part of that is up to you.