Want to browse but without leaving a history? Do you click the Incognito mode button imagining you are safe from websites prying on your search content? Think again. Even though Google claims to have fixed the loophole in Chrome, sites have found a smarter way of spying on the Private mode data. Chromium well aware of the situation that it is indeed still possible to recognise incognito using File API with Quota and attacks.
Here is what transpired so far:
Google, by default, disables FileSystem API during any actions performed within a Private Tab in Chrome browser so that this will result in dodging any traces to be saved to the disk.
In a blog post by Google, it states that “People choose to browse the web privately for many reasons. Some wish to protect their privacy on shared or borrowed devices or to exclude certain activities from their browsing histories. In situations such as political oppression or domestic abuse, people may have important safety reasons for concealing their web activity and their use of private browsing features.”
A few news websites by requisite need users to log in for a follow-up on articles, these check for FileSystem API. If they get an error message, the authentication process of a user happens in Private browsing mode. Once this process takes place the user should use Incognito mode to read content regularly.
Understanding the consequences of this loophole, Google commenced work to reform the problem. By introducing a new flag which approves FileSystem API in Incognito and makes this feature default in Chrome 76.
Google added in the blog “With the release of Chrome 76 scheduled for July 30, the behaviour of the FileSystem API will be modified to remedy this method of Incognito Mode detection.”
Post update the most advanced Chrome version 76 has created confusion.
A user visits a news website in Incognito mode and browses for an article. The site identifies the usage of Private Mode and a pop-up appears for logging into the site. To overcome this obstacle enabling the “FileSystem API in Incognito” flag is also rendered useless.
A recent discovery by a security researcher exposed how ineffectual the loophole fix is. Explaining that by playing around Quota Management API websites can see users activities.
Another developer Jesse Li revealed that “FileSystem API writes are measurably faster and less noisy in an incognito mode allowing websites to detect incognito visitors by benchmarking their write speed”.
As Google responded earlier “Chrome will likewise work to remedy any other current or future means of incognito mode detection”. Chromium team reviewed the flaws caused by quota and timing attacks and created a bug to address this matter.
“After adding in-memory file system API (issue: 93417). We have two other related surfaces for incognito mode detection using FS-API:
1- Available quota in regular mode is much bigger then incognito mode, and this creates an almost clear detection surface.
2- Access to memory is much faster than disk, and it makes timing attacks possible”.
Certainly, for a reliable private browsing experience, all we can do is wait for Google to fix the concerns. Finally, provide the most advanced version of Chrome, where websites cannot observe users actions in Incognito Mode.