One of the major improvements introduced with Google Chrome 76 was that the browser won’t let websites know if the user is browsing on incognito mode. Well, you could still get detected if you’re using incognito mode by these two new methods discussed in this article.
To achieve the above-mentioned “fix”, Google reportedly started using a “transient memory filesystem” that gets wiped whenever the user terminates a session. The first method involves detecting the incognito mode through filesystem quotas. That is, detection will be made by the amount of storage that is allocated for the internal filesystem. According to security researcher Vikas Mishra, Chrome allocates a maximum quota of 120MB for incognito mode while the value is set to nearly 2.4 GB for normal browsing sessions.
“Based on the above observations, key differences in TEMPORARY storage quota between incognito and non-incognito mode are that in case of incognito mode, there’s a hard limit of 120MB while this is not the case for non-incognito window,” wrote the researcher in his blog post.
The second method involves detecting incognito mode based on access timings. Google has switched to memory filesystem for incognito mode. In case you are not aware, memory filesystems tend to perform faster when compared to disk filesystems. Security researcher Jesse Li wrote a script to measure and display the write speeds. This way, it can be easily detected if a user is browsing on incognito mode or not.
“We can see that writes to the writes to disk are massively spikier and take up to 3-4x longer than writes to memory,” wrote the researcher in a blog post.
BleepingComputer reached out to Google regarding these methods for which the software giant has ensured that they will “work to remedy any other current or future means of Incognito Mode detection.” This hints that these two incognito mode detection methods could be fixed with the next Chrome update.
