Google to clamp down on Incognito Mode detection

Company also triples maximum baseline reward for security bugs.
Written by Chris Duckett, Contributor

Google has chosen to remove a method websites could use to detect visitors that used Chrome's Incognito Mode when on a web site.

When Chrome 76 lands at the end of July, sites will no longer be able to check if the FileSystem API is available or not. If it was not available, sites could deduce the visitor was in an incognito tab.

"The behavior of the FileSystem API will be modified to remedy this method of Incognito Mode detection," Google said in a blog post.

"Chrome will likewise work to remedy any other current or future means of Incognito Mode detection."

Google said sites that complain and ask visitors to switch to regular browser tabs -- usually in an effort to count how many visits they have had over a certain timeframe -- should hold their fire and see how much difference the change makes before undertaking any "reactive measures".

Not relevant to Incognito at all: 93% of porn sites leak data to a third-party

"Sites that wish to deter meter circumvention have options such as reducing the number of free articles someone can view before logging in, requiring free registration to view any content, or hardening their paywalls," Google said.

"Our News teams support sites with meter strategies and recognize the goal of reducing meter circumvention, however any approach based on private browsing detection undermines the principles of Incognito Mode."

At the same time, Google said in a blog post it was tripling the "maximum baseline reward amount" for finding a Chrome vulnerability from $5,000 to $15,000, and taking the maximum payout to $30,000.

For a Chrome OS bug that compromises a Chromebook, a security researcher could now gain $150,000 as a standard reward.

Google said its Chrome Vulnerability Rewards Program has handed over $5 million since its establishment in 2010.

Related Coverage

Editorial standards