Some websites are coming up with imaginative – and sometimes nefarious – ways of getting around a new Chrome feature that’s supposed to stop sites from detecting whether its visitors are using Incognito mode.
Incognito mode is a way to browse the internet more privately, stopping websites from installing cookies and tracking your movements online. It’s not fully private, but it does offer more protection than standard browsing.
However, many websites have been using methods to detect if a visitor is using Incognito mode – such as trying to write data to a user’s hard drive using FileSystem API. If they weren’t able to do that, it meant the visitor was using Incognito mode.
- The secrets web browsers hold about users – what's the risk?
- Former Edge intern hints Google made changes to mess with Microsoft’s browser
- Microsoft claims Edge is the best web browser for long battery life
With Chrome 76, Google introduced a feature that allowed the browser to pretend to accept the request, but instead write the data to RAM – which would then be wiped.
This was designed to fool websites into thinking users weren’t using Incognito mode. It was a crafty move, but it appears some websites have already found ways around this.
Hide and seek
According to Vikas Mishra (opens in new tab), a security researcher, websites can use the Quota Management API to detect if the data is being written to a hard drive or RAM, depending on the storage space available. If the user is found to be using RAM, it means they’re using Incognito mode.
Another developer, Jesse Li (opens in new tab), has found a timing attack that can be used to see how fast the data is being written. If the write speed is very fast, it means it’s being written to RAM, and therefore the visitor is using Incognito mode.
We don’t know how many websites are using these methods, but it’s likely to be used by any website that wants to know if users are using Incognito mode – for example if they want to limit how many free articles a user can view before they have to subscribe.
The good news is that Google is aware of the issue (opens in new tab), and is working on a way to stop websites using these workarounds.
- These are the best web browsers of 2019
Via Techdows (opens in new tab)