Googlers hate it! This one weird trick lets websites dodge Chrome 76's defenses, detect you're in Incognito mode

Three key words: File, write, benchmark


A week ago, Google released Chrome 76, which included a change intended to prevent websites from detecting when browser users have activated Incognito mode.

Unfortunately, the web giant's fix opened another hole elsewhere. It enabled a timing attack that can be used to infer when people are using Incognito mode.

On Sunday, developer Jesse Li described a novel method to detect when Chrome users have activated Incognito mode using Chrome's FileSystem API: it is possible to benchmark the speed at which files can be written to disk using this software interface.

The technique is similar to one proposed last month by security researcher Vikas Mishra. He found that browser's Quota Management API, for managing temporary and persistent storage, can be used to infer the presence or absence of Incognito mode.

Incognito mode in Chrome sounds as if it keeps users anonymous online. But it doesn't. It simply prevents browsing activity from being stored in the History log and it erases local HTTP cookies and site data from memory when the Incognito session ends (rather than writing the data to local storage). Its purpose is to prevent other people using the same browser on the same device from being able to look at an in-browser record of past browsing sessions.

Web publishers with paywalls dislike Incognito mode because it prevents the setting of cookies to limit article consumption among non-paying visitors. To fight such freeloading, some paywalled websites include code that detects whether Chrome users have access to the FileSystem API – it used to be disabled when Incognito mode was active.

To eliminate this inconsistently, Google engineers in March last year proposed a plan to make the FileSystem API available when Incognito mode is active. The change debuted behind a flag in Chrome 74 and was turned on by default in Chrome 76. But Incognito mode can still be detected.

onanism

Incognito mode won't stop smut sites sharing your pervy preferences with Facebook, Google and, er, Oracle

READ MORE

What Li found was that the FileSystem API performs differently when Incognito mode is active. By conducting a series of write speed benchmarks, Li demonstrated that normal write operations are more irregular and take about three to four times longer than write operations when Incognito mode is active. The source code is available on GitHub.

The technique is slower and less reliable than determining whether the FileSystem API is available – it takes tens of seconds to conduct the measurements and different hardware configurations affecting timing data. But Li contends the issue is difficult to patch because Incognito mode stores data in memory while normal mode stores data to disk.

"The only way to prevent this attack is for both Incognito mode and normal mode to use the same storage medium, so that the API runs at the same speed regardless," Li wrote.

In Google's design document, Jochen Eisinger, director of engineering for Chrome, suggested timing attacks could be addressed by keeping only metadata in memory and encrypting files to disk rather than storing both metadata and files in memory when Incognito mode is active.

Google did not respond to a request for comment about whether it intends to explore this alternative approach to prevent timing and storage-based inferences about Incognito mode.

Li however is skeptical that a different strategy would lead to improved privacy. "While it’s resistant to our attacks, it leaves behind metadata: even if the data itself cannot be decrypted, its mere existence provides evidence of incognito usage, and leaks when the user last used incognito mode and the approximate size of the data they wrote to disk," Li's post claims.

According to Eisinger, Google intends to deprecate and eventually remove the FileSystem API eventually because it hasn't been adopted by other browser vendors and appears to be used mainly to detect Incognito mode. ®


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading

Biting the hand that feeds IT © 1998–2022