Apple Safari has become the first major browser to be purged of one of the web's longest-running privacy defects: The ability for any site owner to effortlessly steal a complete copy of your recent browsing history.

The browser history disclosure leak is as old as the World Wide Web itself, and it afflicted every major browser – until now. Starting with versions released Monday, Safari no longer coughs up the list of websites a user has visited. The change is one of almost 50 security fixes Apple engineers added to versions 4.1 and 5.0 of the browser.

In characteristic Apple fashion, the company buried news of the change at the bottom of this page. We pointed the new Safari version at sites here and here, which exploit the weakness, and neither worked. The attacks succeeded just fine against Google Chrome and Firefox, and one of them succeeded even when Firefox was running the NoScript add-on.

According to the results of more than 271,000 visits captured in a recent study, the vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. Surprisingly, the proportion was even higher for those using Safari and Chrome and among browsers that turned off JavaScript.

The history leak is the result of the same CSS, or cascading style sheet, technology that causes a browser to display links that have been visited in a different color than addresses that have not been visited. It also allows webmasters to customize content and user interfaces on their sites based on the links individual users regularly visit. Browser makers have long been aware that it can reveal potentially sensitive websites users visit, but have been reluctant to patch the hole for fear it will remove functionality people have come to depend on.

In April, Mozilla said it planned to fix the browser history leakage in an upcoming version of Firefox. While recent beta versions of the browser have the feature turned on, the latest production version remains wide open. Chrome and Internet Explorer are also vulnerable.

Because Safari is based on the same code base as Chrome, it wouldn't be surprising to see the latter browser fixed soon too. That will leave IE as the only major browser with no stated plans to fix the weakness. Microsoft has so far been tight-lipped about its plans, offering only half-baked work-arounds and the warning that browser fixes could break websites.

The history fix is by no means the only security improvement added to the latest version of Safari. The browser now ships with a filter designed to prevent XSS, or cross-site scripting, attacks from working. Microsoft introduced a similar feature to IE 8 and Firefox with NoScript achieves the same result. But as reported by the 0x0Lab Blog, Safari's implementation is easily bypassed. ®

Related stories

• It's ba-ack. Exploit revives slain browser history bug (5 December 2011)

  https://www.theregister.com/2011/12/05/browser_history_attack_revived/

• Marketer taps browser flaw to see if you're pregnant (22 July 2011)

  https://www.theregister.com/2011/07/22/marketer_sniffs_browser_history/

• Man knows when you're signed in to GMail, Twitter, Digg (26 January 2011)

  https://www.theregister.com/2011/01/26/detecting_logins/

• Popular sites caught sniffing user browser history (3 December 2010)

  https://www.theregister.com/2010/12/03/browser_history_sniffing/

• Safari and Firefox updates plug critical holes (8 September 2010)

  https://www.theregister.com/2010/09/08/alternative_browser_updates/

• Private browsing modes in four biggest browsers often fail (6 August 2010)

  https://www.theregister.com/2010/08/06/private_browsing_mode_failure/

• IE and Safari lets attackers steal user names and addresses (20 July 2010)

  https://www.theregister.com/2010/07/20/browser_info_disclosure_weaknesses/

• Google Chrome will block out-of-date plug-ins (30 June 2010)

  https://www.theregister.com/2010/06/30/google_chrome_plug_in_blocker/

• Chrome squeaks past Safari in US (28 June 2010)

  https://www.theregister.com/2010/06/28/crame_passes_safari/

• US lawmakers grill Apple on location tracking changes (25 June 2010)

  https://www.theregister.com/2010/06/25/apple_location_terms_and_conditions/

• No secret to stopping XSS and SQL injection attacks (23 June 2010)

  https://www.theregister.com/2010/06/23/xxs_sql_injection_attacks_testing_remedy/

• Excel revolutionary needed to crush web-forms anarchy (14 June 2010)

  https://www.theregister.com/2010/06/14/vroom_forms/

• Fanbois howl over 'hang a lot' Safari 5 (10 June 2010)

  https://www.theregister.com/2010/06/10/safari_5_woes/

• Safari 5 off to Apple's traditional rough start (8 June 2010)

  https://www.theregister.com/2010/06/08/safari_5_problems/

• Most browsers silently expose intimate viewing habits (20 May 2010)

  https://www.theregister.com/2010/05/20/browser_history_attack/

• Firefox plans fix for decade-old browsing history leak (5 April 2010)

  https://www.theregister.com/2010/04/05/firefox_browsing_history_fix/

• Researcher raids browser history for webmail login tokens (20 July 2009)

  https://www.theregister.com/2009/07/20/csrf_token_hijacking/

• Site schools world+dog in browsing history pilfering (8 May 2009)

  https://www.theregister.com/2009/05/08/browser_history_theft/

• Site guesses your sex via age-old web flaw (28 July 2008)

  https://www.theregister.com/2008/07/28/browser_history_leakage/

• Web browsers face crisis of security confidence (23 June 2008)

  https://www.theregister.com/2008/06/23/marginal_browser_security_protections/