With the release of Chrome 76, Google fixed a vulnerability that allowed websites to detect if a visitor was using Incognito mode. Unfortunately, fixing the bug resulted in two other methods that can still be used to detect when a visitor is browsing privately.
| Join the channel Telegram belong to AnonyViet 👉 Link 👈 |
Some websites have used Incognito mode detection to prevent users from skipping payments or to give private browsing users a different browsing experience.
This was done by checking the availability of Chrome’s FileSystem API. This feature will be disabled in Incognito mode. By using the following method:
- If the browser can access the FileSystem API: non-anonymous
- If the browser cannot access the FileSystem API: anonymous
However, to protect user privacy, Google has patched the vulnerability by providing APIs in both browsing modes. But instead of using disk storage for the FileSystem API while in Incognito, Google is using a temporary memory file system (memory filesystem) is deleted when the session is closed.
The use of memory filesystem creates two new vulnerabilities that can be used to detect Incognito mode. Let’s see how it works.
Detect incognito mode thanks to storage limit on RAM
When Google creates Incognito mode, it saves information temporarily in RAM. This has opened up a new method of detecting it based on the amount of RAM storage used by the browser.
In research presented by security researcher Vikas Mishra, he discovered that when Chrome allocates storage space for system memory used by Incognito mode, it takes up up to 120 MB.
Using this knowledge, Mishra came up with a script that would query the allocated quota. Specifically, the browser’s file system capacity is stored in RAM if:
- 120 MB or lessthe browser is in incognito mode
- From 120 MB or more browser in normal mode
Using Mishra’s script, AnonyViet came up with a PoC to implement this technique. You can see an example here.
Incognito mode detection through access time
When it comes to reading and writing data, RAM memory is always faster than hard disk memory. When Chrome switches to storage in Incognito mode, you can detect private browsing by measuring the speed of writing to the file system.
This new detection method was discovered by researcher Jesse Li. He measured a series of write operations to the browser’s file system. Based on the speed of the writes, a website could theoretically determine if the browser is using Incognito mode.
If you want to measure the write speed in both incognito mode and normal browsing mode of the file system, Li created a code where you can see the difference in write speed.
Open the browser in 2 modes and wait patiently. You will see different file recording results
