We published a report on Google’s plan to fix a loophole in the FileSystem API last month. The loophole in the FileSystem API was being used by websites to detect the traces of activity still if the user using incognito mode. The fixes have already been applied, the New York Times, however even able to identify the private browsing activities.[wpinsertshortcodead id=”bzyqm5d3e04029f48f”]
As per Techdows report, two security researchers Jesse Li and Vikas Mishra figured some ways out which can still work after Google’s incognito mode detection prevention.
However, As per Vikas Mishra report websites can still detect by playing around Quota Mangement API. Jesse Li found a way in which websites could use to inspect private mode by measuring the speed of writes to FileSystem API. And says, “FileSystem API writes are measurably faster and less noisy in an incognito mode allowing websites to detect incognito visitors by benchmarking their write speed.”
Google assured to prioritize its users’ privacy when it revealed the fix to the FileSystem API and assured to repair any future ways of Incognito mode detection. The web browser’s developers have currently developed a bug report for these two loopholes and will likely have them repaired at some point quickly.[wpinsertshortcodead id=”zxikm5d3e04a8f1451″]
Below is the bug description:
After adding in-memory file system API (issue: 93417). We have two other related surfaces for incognito mode detection using FS-API:
- Available quota in regular mode is much bigger then incognito mode, and this creates an almost clear detection surface.
- Access to memory is much faster than disk, and it makes timing attacks possible.