Researchers bypass Incognito tracking protection in Chrome 76

Google plans to patch browser privacy protection. Again

Plans from Google to put a stop to advertisers and publishers from being able to detect a user’s private browsing session in Chrome 76 have already run into trouble.

In just over a week since the tech giant pushed out the latest version of its browser – one that attempted to fix an Incognito Mode tracking bug – researchers have already published methods to circumvent the patch.

The initial fix, applied to the browser’s FileSystem API, was designed to prevent tracking by websites through detection of file system activities, which change depending on which browsing mode is enabled.

The first bypass method, proposed by security researcher Vikas Mishra last month, relies on the measurement of storage quota differences between Incognito Mode and standard browsing.

For the majority of devices, an Incognito mode window will use roughly 10% of device memory, with an upper limit of 120MB.

As many PCs will have capacities far beyond this, Mishra devised a simple rule and script that can detect when the 120MB upper threshold is reached, in the process providing a strong indication of when the private browsing mode is in play.

The Daily Swig confirmed that this technique was able to detect Incognito mode use during a Chrome browsing session.

Tick tock

A second method, revealed by security researcher Jesse Li, relies on a timing attack.

During an Incognito session, data is written to the chip-based memory, instead of going directly to disk, as in normal mode.

This creates a trade-off: write speeds are higher in Incognito mode than those recorder in regular browsing while storage capacity is more limited.

By benchmarking the write speeds of a visiting browser, it’s therefore possible to detect if a user is in Incognito Mode, partly because writing to RAM is quicker than to disc.

A test developed by security researchers involved writing large strings and measuring how long the process takes.

Li found that writes to disc take on average three or four times longer than writing to memory.

However, the test takes too long to be practical for Incognito detection, ZDNet’s Catalin Cimpanu reports.

It is likely that if publishers employ this tactic as a form of door-keeper for their metered paywalls, by the time the test issues a result, the content has been accessed and the visitor has moved on.

False positives or inaccurate readings due to background functions slowing down the operation of computer are also possible.

“The bottom line is that this technique is slower and less reliable, but harder to patch than existing methods because it attacks the underlying technical decision to store data in memory instead of on disk,” Li says.

Google is aware of the workarounds and developers are already discussing ways to remedy the situation, including the potential encryption of data for Incognito Mode.

The Daily Swig has reached out to Google for comment.

RELATED Google Chrome 76 update will force webmasters to rethink paywalls