With recent stories rolling out about the amount of tracking cookies Chrome has hunting you down and the move to block ad-blockers unless you pay Google, Chrome’s reputation has taken a bit of a beating recently. It has also been a somewhat badly kept secret for years now that Google Chrome’s Incognito mode is not as private as you would think it is.
Last month, Google moved to address this final point in what must have seemed like a desperate attempt to restore Chrome’s beleaguered reputation. The internet giant moved to close off a loophole that allowed web developers and sites to detect users who were visiting their pages while in Incognito mode.
The move was met with plaudits too, as it appeared to work. Unfortunately for Google, that apparent truth has evaporated as researchers claim to have discovered a way around it.
Researchers have discovered two tricks that make it possible for websites to detect when users are visiting in Incognito mode
A successful Incognito mode can be bad for websites in a number of ways. The clearest one relates to ad revenue. When websites can track your online activity, they can serve you up more personalized ads, which in turn generate more revenue.
The other big one though, relates to media outlets offering a certain number of free page views before you have to pay. If you’ve ever seen a banner ad saying you’ve only three free articles left this month, then you’ve come up against this. A genuinely “incognito” mode stops these sites from knowing how many of your free articles you’ve read.
This all means that there is a real financial incentive to breaking through an Incognito Mode and it looks like it hasn’t taken long for researchers to bust through Google’s new and improved Incognito mode. Google announced that it had closed the previous loophole on July 18 and since then two security researchers have published ways for websites to detect somebody in Incognito mode.
The first researcher, Vikas Mishra, noticed a painfully simple way to bypass the new and improved Incognito mode. He realized that Chrome caps incognito windows memory usage at 120mb while normal windows running normal web pages use a lot more memory than this. This means that any window that has a 120mb memory limit is likely to be in Incognito mode. Mishra even wrote a script that exploits this vulnerability.
The second researcher, Jesse Li, used a slightly more complicated measure. Li measured the different speeds of writing data to memory rather than disk using the two different browser modes and discovered a discrepancy that gives the game away.
When it comes down to it, Mishra’s breach is easily fixed by tweaking the amount of memory Incognito pages have access to and Li’s isn’t the easiest to implement. Whereas both researchers will likely be working at Google themselves sooner rather than later as a result of their discoveries they may not actually change too much stuff in the short to medium-term.
Google is already working on a fix to the problem, although, it has already noted that The New York Times is already exploiting one of the bugs, to detect people reading its articles in Incognito mode.
The problem in all of this, however, is that financial incentive we mentioned earlier. As long as invading your privacy will make companies money, they’ll keep trying to do it. In the long term this is a problem that isn’t going to go away until that fundamental issue is addressed.