Chrome's solution to prevent websites from knowing that we use incognito mode didn't really solve anything

by Kelvin
Chrome's solution to prevent websites from knowing that we use incognito mode didn't really solve anything

At the beginning of the year Google announced that Chrome would receive an update to prevent websites from knowing when we are using the browser's incognito mode. This was a change that had been necessary for quite some time, since it represents another way on the some websites can track us.

With the arrival of Chrome 76 just a couple of weeks ago, that change finally came into effect, but as recently demonstrated by security researchers, Google’s solution really did not solve anything.

  

Websites can continue to detect when we use incognito mode

To understand why the "solution" has failed, you have to understand what the problem is with the incognito mode. Leaving aside that private mode has nothing, the Google browser uses a Special API to create an isolated virtual file system within the browser That represented a privacy issue.

This virtual filesystem serves so that a website can use many resources without having to download them every time and thus be able to function better and faster. That API, called FileSystem API, until the arrival of Chrome 76 it was not available in incognito mode, so for a website to detect if you were using it or not, you just had to check if the API was available.

Chrome

To remedy this, Chrome went on to allow the use of the API in incognito mode, with some settings, that is, changing the place where the virtual file system is stored to RAM instead of the storage of the device as in normal mode.

So with Chrome 76 when we use incognito mode, a site, in theory, could not discriminate between normal and incognito mode just by investigating whether the API is in use.

Now, this really did not solve anything because as this researcher found, a website can be more ingenious and instead find out the amount of space that the API saves to a website, since in the case of incognito mode there is a limit of 120 MB.

Basically, a website you just have to check if the API in your browser is capable of storing more than that limit to distinguish whether it is a normal or an unknown tab. And, in addition to this, another researcher also discovered that the writing speed that the API uses between one mode and another is also different.

Chromium developers are already working on solving both bugs. Meanwhile there are already websites that are using them to detect which mode we use.

Share Chrome's solution to prevent websites from knowing that we use incognito mode didn't really solve anything