In the wake of Google’s plan to fix an Incognito Mode loophole that allows websites to detect when users are browsing using the private setting, a security researcher claims there’s another way to identify Incognito browsers.
In Chrome 76, due out at the end of July, Google will implement a fix for the Incognito loophole. Until now, websites could check for Chrome’s ‘FileSystem API,’ which isn’t available in Incognito Mode. If the API wasn’t available, the site knew the browser was in Incognito. In some cases, sites used this to prevent users from accessing parts of the website.
While Chrome 76 fixes that by creating a different version of the FileSystem API that uses RAM when in Incognito, there are other ways to detect if someone is using the private browsing feature.
According to security researcher and Ph.D. student Vikas Mishra, Chrome and other browsers have a ‘Storage Quota Management API’ which functions differently in Incognito or private browsing modes.
The API tells web apps how much temporary storage space they can use and how much of the allotment remains available.
In a typical browsing scenario, the total storage capacity shared across all apps is at least 10 percent of the hard drive’s maximum capacity up to a maximum of 2GB. A single app can use up to half of this, making for a maximum of 1GB.
However, Incognito Mode doesn’t allow web apps to write data to the hard drive, which could allow for device tracking. Instead, the browser bases the storage allotment on a device’s RAM, with a maximum of 120MB.
According to Mishra, for a non-Incognito browser to have a 120MB storage quota, it would need to have a minuscule 2.4GB hard drive. Considering how unlikely that is in 2019, websites can safely bet that a browser returning 120MB of available storage is running in Incognito.
Mishra also provides a code sample that reveals how simple his method of Incognito detection is.
Thankfully, when Google announced the fix for Chrome 76, it said it expected more Incognito detection methods to pop up. The search giant seems intent on quashing them and keeping Incognito private.
As for Mishra’s method, it’s still relatively new. Web developers and publishers likely haven’t put it into use yet, and likely won’t in the immediate future.