Today’s Topics:
- Chrome 136 Patches 20-Year Privacy Loophole Linked to Visited Link Styling
- Tycoon2FA Phishing Kit Evolves With Advanced MFA Bypass and Evasion Tactics
- How can Netizen help?
Chrome 136 Patches 20-Year Privacy Loophole Linked to Visited Link Styling
Google has resolved a long-standing web privacy flaw in Chrome that allowed websites to detect a user’s browsing history by exploiting the browser’s styling of visited links. The fix, which lands in Chrome version 136, closes a gap that’s existed for over two decades and has been used in multiple real-world tracking techniques.
Web browsers traditionally allow websites to visually distinguish between visited and unvisited links by applying different styles using the CSS :visited selector. A visited link often appears in purple instead of blue, which serves as a helpful user interface cue.
However, this visual feedback creates an opportunity for malicious sites to check if certain links have been visited by measuring how they render. This side channel can be abused to reconstruct parts of a user’s browsing history.
Even though browsers like Chrome blocked access to certain styling properties to mitigate this, researchers still demonstrated successful privacy attacks using techniques such as:
- Timing-based inference
- Pixel inspection
- User interaction tracking
- Process-level attacks
These tactics made it possible to confirm whether a visitor had previously accessed certain URLs — across different sites — without any user interaction.
Starting in Chrome 136, visited links are no longer treated globally. Instead, Chrome applies triple-key partitioning to store visited status using:
- The destination URL (the actual link)
- The top-level site (domain in the address bar)
- The frame origin (the frame or iframe where the link is displayed)
With this change, a visited link will only appear as visited if it was clicked on the same site and within the same frame origin. This eliminates cross-site leakage while preserving the feature’s utility for single-site navigation.
To maintain usability, Chrome includes a self-link exception. If a user visits a link on a given site, that link will still show as visited when viewed on that same site, even if it was originally clicked from a different domain. Since the site already knows which of its pages were visited, this doesn’t introduce new privacy risks.
Google considered alternatives, including:
- Deprecating
:visitedentirely: ruled out due to its UX value - Permissions models: considered too easy to exploit or mislead users
Instead, partitioning provided the best balance of security and usability.
This fix was introduced as an experimental flag in Chrome 132 and will be enabled by default in Chrome 136. Until then, users can manually activate it via the following flag:
pgsqlCopychrome://flags/#partition-visited-link-database-with-self-links
After setting the flag to “Enabled”, restart Chrome to apply the change. Note that this experimental version may still show unstable behavior in some contexts.
As of now, other major browsers like Firefox and Safari have only partially mitigated the :visited link leakage issue. Chrome 136 sets a new benchmark in addressing this subtle but impactful privacy concern.
Tycoon2FA Phishing Kit Evolves With Advanced MFA Bypass and Evasion Tactics
The Tycoon2FA phishing kit—known for its ability to bypass multi-factor authentication (MFA) for Microsoft 365 and Gmail accounts—has received major updates that improve its stealth, obfuscation, and evasive capabilities.
Originally identified by Sekoia in late 2023, the Tycoon2FA phishing-as-a-service (PhaaS) platform continues to evolve, with the latest findings from Trustwave detailing how its updated toolkit now evades detection more effectively and targets victims with increased precision.
Key Technical Enhancements
1. Unicode Obfuscation in JavaScript Tycoon2FA operators are now using invisible Unicode characters to embed binary data inside JavaScript payloads. This data is then decoded and executed at runtime, making static pattern detection and manual code inspection significantly more difficult. First reported by Juniper Threat Labs, this technique helps the payload fly under the radar of most email filters and endpoint detection tools.
2. Self-Hosted CAPTCHA Using HTML5 Canvas The kit has moved away from using Cloudflare Turnstile in favor of a self-hosted CAPTCHA rendered via HTML5 canvas. The visual elements are randomized to avoid fingerprinting, allowing attackers to bypass domain reputation systems and detection based on CAPTCHA frameworks.
3. Advanced Anti-Debugging and Analysis Evasion New anti-debugging logic detects common analysis tools like Burp Suite and PhantomJS. If these tools are identified, or if the CAPTCHA interaction fails (a potential sign of an automated scanner), the user is redirected either to a legitimate site like rakuten.com or is served a decoy page to break the analysis flow.
These improvements make it more difficult for defenders to analyze infrastructure, reverse engineer payloads, or automate detection via browser-based sandboxing.
In parallel with toolkit updates, Trustwave has observed a dramatic increase in the use of malicious SVG files in phishing campaigns—an 1,800% jump from April 2024 to March 2025. This surge is being fueled by Tycoon2FA and other PhaaS platforms like Mamba2FA and Sneaky2FA.
SVG files are being disguised as voicemail alerts, logos, or shared documents and are weaponized with embedded JavaScript. These scripts often use multiple layers of obfuscation—such as base64, ROT13, XOR, and junk code—to evade detection by email scanners and endpoint tools.
Upon rendering, the embedded code redirects the victim to fake Microsoft 365 login portals designed to harvest credentials.
A recent campaign spoofed Microsoft Teams notifications, using an SVG file disguised as a voicemail message. When opened, the file launched a browser and executed obfuscated JavaScript to redirect the user to a phishing page mimicking the Office 365 login screen.
The combination of SVG-based delivery and advanced obfuscation represents a notable evolution in phishing operations, especially those offered as turnkey services to lower-tier cybercriminals. These changes point to a broader trend: phishing campaigns are becoming more modular, evasive, and automated—targeting enterprise platforms with precision tools that bypass both MFA and modern email defenses.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
