Chrome's 'more private' Incognito mode: Websites can still detect you're using it

Website developers have already crafted methods to bypass Google's recent efforts to stop them detecting when Chrome is in Incognito mode. 

Only last month, Google announced it was modifying Chrome's Filesystem API, which sites use to store temporary or permanent files. 

Previously, if the API was not available, a website could assume the browser was in Incognito mode. Google also promised to close off any new methods to detect when a browser is in Incognito mode. 

Some news websites attempt to detect when Chrome is in private mode to enforce free article limits and ask visitors to switch to regular tabs. 

The changes to the Filesystem API came in Chrome 76 by making it available to websites when in private mode, therefore preventing them from using its absence as a proxy for detecting Incognito mode. 

But security researcher Vikas Mishra recently found that publishers could tell if a tab is in Incognito mode by looking at the amount of space the API makes available to a website. 

Mishra discovered that by using another API that manages the quota assigned to the amount of space a website has in temporary storage -- RAM rather than disk -- it was possible to infer when a browser is in Incognito mode.

SEE: 60 bad habits IT pros need to break (TechRepublic)

The "key differences in TEMPORARY storage quota between Incognito and non-Incognito mode are that in case of Incognito mode, there's a hard limit of 120MB while this is not the case for non-Incognito window", Mishra wrote. The available quota in normal mode is much bigger than 120MB.

Another security researcher Jesse Li has built on this technique by measuring the speed of writes to the quota API. Li found that write speeds in normal mode are both slower and vary more significantly than a browser in Incognito mode. 

Li notes that his technique is slower and less reliable than existing techniques. However, it is also harder to patch because of the technical decision to store data in memory rather than disk. He thinks the only way to block this technique is for Incognito mode and normal mode to use the same storage.    

Chromium developers are working on a fix for both the quota and timing bugs, described as the two related surfaces for Incognito-mode detection using the Filesystem API. As noted in the bug report, the New York Times is already using the quota-detection method to tell when Chrome is in Incognito mode. 

More on Google Chrome

• Google: We'll give you better malware protection in Chrome, but only if you sign in
• Chrome on Android: Phishing attackers can now trick you with fake address bar 
• Firefox to get a random password generator, like Chrome
• Google Chrome 75 released with secret Reader Mode
• Google: High-risk G Suite users now get same advanced security we use in-house
• Google's new Gmail security: If you're a high-value target, you'll use physical keys  
• Google to remove Chrome's built-in XSS protection (XSS Auditor)
• Half of all Google Chrome extensions have fewer than 16 installs
• The difference between Gmail, a Google Account, and G Suite accounts TechRepublic
• Gmail confidential mode for G Suite launching in June CNET