Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixing Chrome API To Prevent Incognito Mode Detection (bleepingcomputer.com)

Posted by msmash on from the patch-incoming dept.

AmiMoJo writes: When browsing the web with Google Chrome, some sites are using a method to determine if a visitor is in a regular browsing session or in incognito mode. As this can be considered a breach of privacy, Google will be changing how a particular API works so that web sites can no longer utilize this technique.

Chrome supports the FileSystem API, which allows sites to create a virtual file system that lives within the sandbox of the browser. This allows sites that utilize large assets, such as online games, to download these assets to a virtual file system so that they do not have to download them each time they are needed. Currently the FileSystem API is not available in incognito sessions, because it leaves files behind and could be considered a privacy risk. Currently the API doesn't work in incognito mode, offering sites a way to check for it. In a Chrome Gerrit post started this week and updated earlier this morning, Google has stated that they are changing the FileSystem API so that it can be used in incognito mode, without the risks to privacy.

19 of 42 comments (clear)

  1. Re:Does not compute by AHuxley · · Score: 1

    Allowing more ads does not improve privacy.

    --
    Domestic spying is now "Benign Information Gathering"
  2. Written by? by hcs_$reboot · · Score: 1

    TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"

    Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Written by? by GuB-42 · · Score: 2

      TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"
      Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

      They didn't miss it, quite the opposite, it is a potential problem they identified for a solution that isn't out yet.
      As for limiting to x MB, it is exactly what they intend to do, but while it is an obvious solution, finding the value of x isn't.

    2. Re:Written by? by bluefoxlucid · · Score: 1

      Alternatively, they could generate an encryption key and keep it in the incognito browser's memory. Use operating system APIs to pin that page to memory (standard for encryption keys) so it doesn't go to swap. Encrypt and encode filenames, and stream the files to disk encrypted. Mark the whole thing as temporary.

      It leaves evidence that you used incognito mode, but only gibberish about what actually happened in incognito mode.

      --
      Support my political activism on Patreon.
  3. Other methods to check by guruevi · · Score: 4, Informative

    This has been known for several years (https://stackoverflow.com/questions/2909367/can-you-determine-if-chrome-is-in-incognito-mode-via-a-script)

    There are plenty of other methods to check whether or not you're in incognito mode (http://www.collinjackson.com/research/private-browsing.pdf)

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Other methods to check by AmiMoJo · · Score: 2

      You will note that after this fix none of the methods outlined in either of your links work any more. The CSS visited link hack was fixed years ago, for example. The paper suggests testing things like SMB links, which are only supported in Internet Explorer anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re: Other methods to check by Anonymous Coward · · Score: 1

      I browse in âoeprivate modeâ on my iPhone exclusively, and I see a lot of ads for Ashley Madison. I had always assumed this was because they knew I was in private mode. And no, I have never visited that site!

  4. News Sites by crow · · Score: 2

    Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode. I'll be happy if this breaks their block.

    Of course, with the vast number of APIs available now, fingerprinting is just about as good as cookies. Browsers reveal far too much information.

    1. Re:News Sites by cshay · · Score: 1

      There are cookie related add-ins that will delete cookies after a certain amount of time away from the site. On Chrome I use Vanilla Cookie Manager and on Firefox I use Self-Destructing Cookie (pre-extension apocalypse)

      If websites focus their efforts on incognito mode, I would just use one of those extensions.

  5. If any Chrome devs reading this by Billly+Gates · · Score: 1

    Can you please put the option to put the tabs and blinding white off back to where it was at version 70?

    I still use that version as I get migraines easily and it's hard to differentiate tabs with my multiple monitors

    --
    http://saveie6.com/
  6. Re:Does not compute by Anonymous Coward · · Score: 2

    Google's mistake with it's incognito mode was actually having it behave differently rather than having it behave the same and just sandboxing -everything-

    There's another thing that incognito mode destroys your privacy with, and that is the browser history if you've visited the site before without incognito. try it, go to google.com and then open an incognito window and start typing google.com, it will auto-fill it. If you open the browser history, it will then toss you back to the non-incognito mode.

    That's not very private is it?

  7. Re: Does not compute by DontBeAMoran · · Score: 1

    Oh, come on now. We're all adults here. We know this is just stories we tell children. Schnapps doesn't really exist.

    --
    #DeleteFacebook
  8. There is no such thing as "anonymous" by Tony+Isaac · · Score: 1

    If you want to browse the web anonymously, forget it. No matter what tricks you use, you can be tracked. Sure, some methods of going incognito are better than others, but when it comes down to it, don't ever, ever trust that what you are doing on the Web can't be found out.

  9. Re: Does not compute by AmiMoJo · · Score: 2

    "Here's a tool that lets you review all the data we have, which you explicitly opted in to allowing us to collect and which is used to provide the services you enjoy. Here is a button to disable collecting it, and here is a button to delete it."

    "OMG mah privacy!!1"

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  10. Re:Does not compute by AmiMoJo · · Score: 2

    Maybe why Google is also starting to block the worst ads by default anyway. Chrome has a built-in ad blocker now.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  11. Re:Does not compute by petermgreen · · Score: 1

    Companies are neither inherently good or inherently evil, they just do what they think will help their bottom line and/or strategic goals, and yes keeping up a good PR face can be part of that.

    This fix probablly hurts google's competitors more than it hurts google. Google can probablly make a pretty damn good guess whether someone is in incognito mode without resorting to tricks (if a browser shows up with no google cookies it's a pretty good bet it's in incognito mode). Smaller sites will find it harder to guess.

    Similarly with ad-blocking if google sets up the defaults such that they let google's ads through while blocking the more obviously obnoxious ads from competitors they reduce the risk that people will seek-out a third party ad-blocking soloution which may block more aggressively. The web giants nightmare is that the more obnoxious end of the internet ad-market drives the majority of Internet users to install an agressive ad-blocker.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  12. A Potentially Dumb But An All Seriousness Inquiry by osswmi · · Score: 1

    If Chrome has plans to remove the FileSystem API if it sees no legitimate use outside of the aforementioned discovery technique, would this have any impact on the FileReader API in any way shape or form? I only ask this as the FileReader API is key component of a major web project of mine.

  13. MIT Technology Review's tracking blocker blocker by tepples · · Score: 1

    Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode.

    Was it MIT Technology Review? If so, I think it was testing for existence of third-party analytics/advertising ID cookies, not any file system API. I don't use incognito per se, but I have encountered that message while using Firefox built-in tracking protection, which blocks URLs known to be involved in cross-site interest gathering. (It uses the same list as the Disconnect extension.)

    I'll be happy if this breaks their block.

    If a paywalled site doesn't detect a third-party analytics/advertising ID cookie, it may require the user to log in through Facebook, Google, Twitter, GitHub, or the like so that such a cookie can be dropped.

  14. Re:A Potentially Dumb But An All Seriousness Inqui by osswmi · · Score: 1

    Subsequently I saw this article that seem to indicate there was a stance to potentially remove the API all together if Chrome sees fit. https://www.theverge.com/2019/...