Google’s Chrome Incognito fix created new ways for sites to detect private users

Fixing one loophole created two more, and websites are already taking advantage

Chrome on Windows 10

Google’s fix for the Incognito detection loophole didn’t last long. Websites have already found new ways to detect if someone uses Chrome’s private browsing mode.

Granted, most people predicted this — even Google knew more detection methods would come. When the search giant pushed out the initial fix for the problem in Chrome 76, it published a blog post promising to continue protecting users against Incognito detection.

Since Chrome 76 brought the Incognito mode fix to the masses, at least two security researchers have come forward with potential workarounds. To understand the workarounds, however, you need to know how Google tried to fix the problem.

Incognito detection hinges on how Chrome handles access to the file system. Before version 76, the browser only allowed storage access in regular browsing modes. Preventing access to storage was a way to protect users from having data and information from their Incognito session saved to their device. However, it also served as a way for websites to detect private browsers — if sites couldn’t access the file system, the user was probably browsing Incognito.

Google’s fix in Chrome 76 created a temporary file system within the device’s RAM. This made it so the file system was present regardless if a user was in Incognito. Additionally, creating a temporary file system in RAM meant that when a user closed Chrome, any data stored during the session was wiped away.

Google closed a door and opened two windows

Unfortunately, the fix brought with it two ways to detect Incognito. First, websites could measure how much storage they could access. The process was rather complex (you can read a full break down here), but essentially, Incognito’s RAM file system offered significantly less storage to sites, making it a reliable way to detect Incognito.

Further, RAM is significantly faster than storage typically found in computers, like SSDs and hard drives. Another researcher uncovered a way to simply measure how fast data was stored through the file system. Since RAM is significantly quicker, sites could use this method to detect Incognito reliably by measuring storage speed.

Thankfully, Google is aware of both of these issues. A recent post on the Chromium Bug Tracker outlines the two detection methods as well as possible solutions. The main idea Googlers are tossing around is creating a way to encrypt Incognito data and store it on the hard drive instead of RAM, which prevents detection by the previously mentioned methods. The encryption key would stay in RAM, however, meaning that if the data doesn’t get deleted, the key would when the user exited Chrome. In other words, the data would be locked in encryption and unaccesible.

Unfortunately, there are some potential issues with the solution as well. Some Googlers note that adding encryption would be a feat of engineering, and could reduce performance or battery life.

However Google decides to fix Incognito mode detection, the company better move quickly. Some websites, like the New York Times, have already implemented new Incognito detections.

Source: Google, Jesse Li

Via: Techdows