Some News Publishers Can Still Spot the Users If They Are Using Chrome Incognito Mode

Google has been aware of multiple loopholes in the FileSystem API and they have been trying to fix these flaws. The FileSystem API was being used by many different sites in order to identify if the user was accessing a website on incognito mode. Although Google has already sorted a lot of problems, however, not all the fixes have been implements. The New York Times still capable of detecting private browsing sessions for the paywalls. This means that even though it is completely on private mode, online news publishers can still detect the users.

The real question at this point is how is New York Times able to detect the user even when it is one incognito mode? To answer this problem, two security researchers at TechDows explained that there was, in fact, a way that can be used by a website to bypass the sophisticated Google protection that has been implemented. To keep this possible, websites keep a check if there was any call made to FileSystem API asking about writing to the hard drive of the user directly that can help in returning the error when the system was on incognito mode. To solve this issue, google made a fix by telling the Google chrome to write data to RAM, instead which will soon be erased.


Although this fix worked in the eyes of Google, websites can use the Quota Management API in order to exploit the differences. The main thing is that the temporary storage quota is different between the incognito mode and regular browsing and websites tried to fill this difference. These websites by bypassing the fix can also keep an eye on the write speed that can help them to see if the data is beginning written to the RAM or even hard drive. Just because most of the write speed on Ram is relatively faster than a hard drive, this is also important. This can be used as another indirect mean that can help in the detection of the user private browsing.

Websites Can Spot the Users Even When They Are Using Chrome Incognito Mode
Image: AP Photo/Mark Lennihan

Read next: Google 76 hides sub-domains but there are tricks to undo it

No comments:

Post a Comment