For years, it was possible for web developers to use a simple trick to detect whether someone was browsing from Chrome’s Incognito Mode. As of Chrome version 76, Google has made this detection method cease to function, providing better anonymity to Incognito Mode. Before Chrome 76 could even release, however, a security researcher has discovered another way to reliably detect Incognito Mode.
Before Chrome 76, web developers and news publications could detect Incognito readers by simply checking whether they could access Chrome’s FileSystem API, which was disabled on Incognito Mode for security reasons. Google closed this loophole by enabling a memory-based version of the FileSystem API for Incognito.
Security researcher and PhD student Vikas Mishra claims to have found another API that behaves differently in Incognito Mode. Chrome and other browsers have a Storage Quota Management API, used by web apps to know how much temporary storage space they’ve been allotted and how much of that allotment remains.
Under normal browsing, the total storage capacity, shared across all apps, is at least 10% of the disk drive’s maximum capacity with a maximum of 2 GB. An app that uses temporary storage can use up to half of this, making for a maximum of 1 GB.
However, in Incognito Mode, where writing to the hard drive could potentially allow a device to be tracked, the storage allotment is a percentage of your device’s RAM, with a maximum of 120 MB. Mishra did the math and determined that for a non-Incognito browser to have only 120 MB of storage quota, it would need to have an absolutely tiny 2.4 GB hard drive.
Given that having such a small storage drive would be unheard of in 2019, it’s highly likely that if Chrome reports only having 120 MB, that means you’re in Incognito Mode. This means that all a web developer would need to do to detect Incognito Mode is check whether the available storage quota is larger than 120 MB. Mishra even lays out sample code in his blog to show how simple his new method is.
For Google’s part, the Chrome team knew that more Incognito Mode detection methods would be discovered. While planning to fix the original Incognito Mode detection method, the developers outlined in an internal document yet another plausible way to detect Incognito Mode following the fix. That being the case, hopefully Google will continue to take the issue seriously going forward and develop a fix to Mishra’s new method.
In the meantime, as Mishra’s detection method is still relatively new, web developers and publishers will likely not be putting it to use in the immediate future. Google also encouraged publishers to consider respecting the core privacy principles of Incognito Mode before enacting reactionary changes.