Chrome’s new Incognito privacy features are already being sabotaged by websites

Some websites are coming up with imaginative – and sometimes nefarious – ways of getting around a new Chrome feature that’s supposed to stop sites from detecting whether its visitors are using Incognito mode.

Incognito mode is a way to browse the internet more privately, stopping websites from installing cookies and tracking your movements online. It’s not fully private, but it does offer more protection than standard browsing.

However, many websites have been using methods to detect if a visitor is using Incognito mode – such as trying to write data to a user’s hard drive using FileSystem API. If they weren’t able to do that, it meant the visitor was using Incognito mode.

With Chrome 76, Google introduced a feature that allowed the browser to pretend to accept the request, but instead write the data to RAM – which would then be wiped. 

This was designed to fool websites into thinking users weren’t using Incognito mode. It was a crafty move, but it appears some websites have already found ways around this.

Hide and seek

According to Vikas Mishra, a security researcher, websites can use the Quota Management API to detect if the data is being written to a hard drive or RAM, depending on the storage space available. If the user is found to be using RAM, it means they’re using Incognito mode.

Another developer, Jesse Li, has found a timing attack that can be used to see how fast the data is being written. If the write speed is very fast, it means it’s being written to RAM, and therefore the visitor is using Incognito mode.

We don’t know how many websites are using these methods, but it’s likely to be used by any website that wants to know if users are using Incognito mode – for example if they want to limit how many free articles a user can view before they have to subscribe.

The good news is that Google is aware of the issue, and is working on a way to stop websites using these workarounds.

Via Techdows

Chrome’s new Incognito privacy features are already being sabotaged by websites 3

Article source: