In the privacy cat and mouse game between browsers and website trackers, websites are once again one step ahead, as trackers have found a way to work around Chrome’s attempts to prevent them from detecting when you are in Incognito mode.
Some websites want to know when you are in Incognito mode as some users use this to work around daily article limits, refusing to serve content to users in Incognito mode so their visits could be tracked via cookies.
One of the ways they did this was to attempt to write data to disk using FileSystem API. If this failed they knew the user was in Incognito mode. Google attempted to work around this by pretending to accept the request to write data to disk, but instead to write it to RAM and eventually discard this.
This feature is present as a flag in Chrome 76, but some websites appear to have already worked around this. Security researcher Vikas Mishra has found that Quota Management API will report a different storage quota to websites that were only 10% as much as when users were not in Incognito mode. Developer Jesse Li also found a timing attack to detect Incognito mode, as writing data to RAM is faster and more reliable than writing to disk.
“FileSystem API writes are measurably faster and less noisy in an incognito mode allowing websites to detect incognito visitors by benchmarking their write speed,” says Jesse Li.
Google is aware of the issue, with a Chromium bug open for the workarounds, saying “Chrome will likewise work to remedy any other current or future means of incognito mode detection.”
It seems the cat and mouse game will continue.