Google wants to ban sites from finding out whether or not users are in incognito mode and, with that in mind, fixed the gap in Chrome 76 that allowed it to do so. What the company should not expect is that two other methods would soon be developed.
Solutions that indicate whether someone is in incognito mode are used, for example, by news sites that need to prevent someone from circumventing their paywall. Until Chrome 76, pages were able to detect anonymous mode by checking if the FileSystem API was available.
It is used for recording, modifying and deleting files, but was only offered in standard mode. If it was disabled, it was possible to indicate that the browser wanted to avoid recording data and, therefore, that anonymous mode was in use.
With that, the sites requested the API and, upon receiving the error, were able to determine that the user was attempting to violate their block. To end the practice, Google started offering the API in both standard and anonymous mode.
The identification, however, is not over. That’s because websites already use other ways to point out which mode is being used. The method of security researcher, Vikas Mishra, for example, was adopted by the New York Times and take advantage of the transient memory file system that Chrome uses in incognito mode.
The system clears records when the anonymous session ends and has a 120 MB limit set by Google. In tests, Mishra concluded that for the memory to be up to 120 MB in standard mode, the device would need to have less than 2.4 GB of storage.
Due to the current models, which easily exceed this capacity, he considered it safe to say that if the memory limit is less than 120 MB, the browser is in anonymous mode.
Another method, created by security researcher Jesse Li, compares the recording time of files. RAM file systems, used by anonymous mode, are faster than disk file systems, used by standard mode.
By analyzing the time taken in the recording, it is possible to identify which mode is being used. The method is also accurate, but, because it requires multiple writings to determine the speed, it takes longer to detect whether the user is actually in incognito mode.
Google is already aware of the new methods and should look for other ways to prevent incognito detection in future updates. In a note, the company said it would “work to remedy any other current or future means of detection in anonymous mode”.