Google Chrome Incognito Mode Can Still Be Detected by These Methods


With the release of Chrome 76, Google fixed a loophole that allowed web sites to detect if a visitor was using Incognito mode. Unfortunately, their fix led to two other methods that can still be used to detect when a visitor is browsing privately. Some web sites were using Incognito mode detection in order to prevent users from bypassing paywalls or to give private browsing users a different browsing experience. This was being done by checking for the availability of Chrome's FileSystem API, which was disabled in Incognito mode. If a site could access the FileSystem API then the visitor was in a normal browsing session and if it could not access the API the user was in Incognito mode.
As Google wanted users to be able to browse the web privately and for their browsing mode choices to be private as well, they have closed a loophole by making the API available in both browsing modes. As part of this fix, instead of using disk storage for the FileSystem API, when in Incognito mode they are using a transient memory filesystem that gets cleared when a session is closed.

The use of a memory filesystem, though, create two new loopholes that could be used to detect Incognito mode, which are described below.

Detecting Incognito mode through filesystem quotas

When Google made it so that Incognito mode uses a temporary filesystem using the computer's RAM, it opened up a new method of detecting it based on the amount of storage set aside for the internal filesystem used by the browser.
In research presented by security research Vikas Mishra, he found that when Chrome allocates storage for the temporary memory filesystem used by Incognito mode, it will have a maximum quota of 120MB. "Based on the above observations, key differences in TEMPORARY storage quota between incognito and non-incognito mode are that in case of incognito mode, there’s a hard limit of 120MBwhile this is not the case for non-incognito window. And from the above table it’s clear that for the temporary storage quota to be less than 120MB in case of non-incognito mode the device storage has to be less than 2.4GB. However for all practical purposes it is safe to assume that the majority of the devices currently in use have more than 2.4GB of storage." Using this knowledge, Mishra came up with a script that would query the quota allocated to the browser's filesystem and if its 120MB or less, then the browser is in incognito mode.
Using Mishra's script, BleepingComputer came up with a simple PoC that demonstrates this technique. The PoC can be found here.
Detecting Incognito based on file system sizeDetecting Incognito based on filesystem size

Detecting Incognito mode through access timings

When it comes to reading and writing data, memory filesystems are always faster than disk filesystems. As Chrome switched to a memory filesystem in Incognito mode, it is now possible to detect private browsing by measuring the speed of writing to the filesystem. This new detection method was discovered by researcher Jesse Li that measures a series of writes to the browser's filesystem. Based on the speed of these writes, a web site could theoretically determine if the browser is using Incognito mode.
Normal vs Incognito writing timingsNormal vs Incognito writing timings
Unlike Mishra's research, Li did not come up with a full working PoC of this method, but instead came up with a script that will measure the speed of writes and display them. It is up to someone else to come up with the proper measurements to determine incognito mode with this method.

Furthermore, Li's approach requires many writes to determine the speed of the filesystem, which would cause the detection process to take quite a bit of time.

If you would like to measure the filesystem writes in both Incognito and regular browsing mode, Li created a script you can play with to show the write speed differences.

Write Speed TestWrite Speed Test

Sites already using new detection methods

Unfortunately, sites have already started to use Mishra's filesystem quota detection method to determine if a visitor is in Incognito mode.

As noted by Microsoft Edge developer Eric Lawrence, the New York Times, is testing this method to detect when a visitor in in private mode.
New York Times detecting incognito modeNew York Times detecting incognito mode

This is done through a script that clearly shows Mishra's research being used.

Script used to detect Incognito modeScript used to detect Incognito mode

When asking Google about these two new detection methods, Google has told BleepingComputer that they stand by their statement that they will "work to remedy any other current or future means of Incognito Mode detection."

Related Articles:

Chrome 76 Released With Blocked Flash, Incognito Detection Fix

Google Chrome Tests Feature That Gives Any Site a Dark Mode

Google Chrome Hides WWW and HTTPS:// in the Address Bar AgainChrome 69 Shows the WWW & M Subdomains Again, but It’s Only Temporary

Chrome to Add HTTP Cache Partitioning to Block Attacks, Tracking

Similar Articles:

Google's privacy push adds Incognito Mode for Maps and Search

Google's privacy push adds Incognito Mode for Maps and Search

Google Project Zero team reveals ‘high severity’ flaw in macOS kernel, working w/ Apple on a patch

Google Project Zero team reveals ‘high severity’ flaw in macOS kernel, working w/ Apple on a patch

Android P Streamlines Location Accuracy Settings

Android P Streamlines Location Accuracy Settings

Why you need to use a VPN to stop Google and Facebook from tracking your porn habits

Why you need to use a VPN to stop Google and Facebook from tracking your porn habits