Last month, we reported on Google's plan to fix a loophole in the FileSystem API that was being used by websites to detect if a user was accessing it via Incognito mode. While those fixes have already been implemented, the New York Times is somehow still capable of detecting private browsing sessions when it comes to its paywalls.
How? As TechDows reports, two security researchers - Vikas Mishra and Jesse Li - have figured out ways websites can work around Google's protections. Websites previously checked if a call to the FileSystem API asking to write directly to a user's hard drive returned an error as an indication that Incognito mode was on. Google fixed this by telling Chrome to write the data to RAM, instead, and then erase it soon after.
However, websites can now use the Quota Management API to exploit differences in the way the temporary storage quote differs between Incognito mode and regular browsing. Similarly, the website could also track the write speeds to determine if the data is being written to the hard drive or RAM, since write speeds on RAM are significantly faster. This can be another indirect means of detecting if a user has private browsing enabled.
Google promised to prioritise its users' privacy when it announced the fix to the FileSystem API and promised to fix any future means of Incognito mode detection as well. Staying true to its word, the browser's developers have already created a bug report for these two loopholes and will likely have them fixed sometime soon.
Source: Vikas Mishra, Jesse Li via TechDows
23 Comments - Add comment