If you realized Google just fixed the loophole in the Chrome that prevents sites from detecting incognito mode, sites got clever and started using other methods to detect Private mode in Chrome 76. Chromium team itself aware of the fact that it is still possible to detect Incognito using File System API with Quota and timing attacks.
The story so far:
Google by default disables FileSystem API in Incognito mode in Chrome browser to prevent traces from being saved to disk. News sites that require users to sign up to view their content checks for FileSystem API and if they receive error message, they’ll confirm user in Private browsing mode and ask them to log in or create a free account to read content continuously in Private mode.
Google aware of this loophole and began working to fix it by introducing a new flag that enables FileSystem API in Incognito, the feature has been enabled by default in Chrome 76. Google wrote a blog post saying incognito mode allows users to browse the web privately and confirmed they fixed FileSystem API loophole in the latest Chrome that some sites taking advantage of.
Now in latest Chrome version 76, if you visit The Newyorktimes site in Incognito mode and browse an article, the site detects Private mode and asks to log into their site. Though it doesn’t make sense, we’ve tried to enable the “FileSystem API in Incognito” flag and see it helps, NYT still detected the incognito mode.
Recently, a security researcher revealed incognito mode detection prevention isn’t effective in Chrome browser and said the sites can still detect by playing around Quota Management API. Another developer Jesse Li came up with a proof of concept of technique which websites could use to detect private mode by measuring the speed of writes to the Filesystem API.
“FileSystem API writes are measurably faster and less noisy in an incognito mode allowing websites to detect incognito visitors by benchmarking their write speed,” says Jesse Li.
As Google said before “Chrome will likewise work to remedy any other current or future means of incognito mode detection”, Chromium team created a bug to address incognito detection that involves using quota and timing attacks.
Here is the bug description:
“After adding in-memory file system API (issue: 93417). We have two other related surfaces for incognito mode detection using FS-API:
1- Available quota in regular mode is much bigger then incognito mode, and this creates an almost clear detection surface.
2- Access to memory is much faster than disk, and it makes timing attacks possible”.
We can expect these issues to be fixed by Google in the future to bring a truly private browsing experience to Chrome users that can’t be detected by websites.
