The whole point of Incognito Mode on Chrome is to maintain some level of privacy on the internet — meaning, sites don’t know when you’re on them, and as a nice bonus, you can sometimes get around pesky paywalls. That said, web developers and publishers have since wised up, prompting Google to recently try and make Incognito mode more incognito with Chrome 76. The operative word being try, as it appears some sites, including The New York Times, have figured out how to still bypass Incognito Mode.
Basically, before Chrome 76, sites could make use of an unintended loophole. In Incognito Mode, Chrome’s FileSystem API is disabled. That particular API is used by sites to store temporary or permanent files, and if a site couldn’t detect it, it would then assume a user was browsing in private mode. The fix in Chrome 76 made the FileSystem API available even when in Incognito Mode, meaning sites would no longer be able to use its absence as a means of sussing out what mode someone was browsing in.
However, as noted by 9to5 Google, The New York Times is at least one site that’s found a way around the fix. If you visit the site in Incognito Mode and exceed your monthly free article limit, you’ll still get a popup notification that prompts you to log in to continue reading. It’s unclear how exactly the Times figured out another loophole; 9to5 Google notes that none of the code on the Times’s site is newly specific to Chrome 76 itself.
One reason might be that, according to a security researcher, it’s possible to detect private browsing by noting how much space the FileSystem API makes available.
Apparently, Incognito Mode puts a hard 120MB limit to the amount of temporary storage on the FileSystem API. Another security researcher discovered that write speeds in a normal tab are much slower than in an incognito window.
In any case, both workarounds — and whatever the Times is doing — sort of make the Chrome 76 fix futile. Ah well, looks like it’s back to the drawing board for Chrome developers.
[ZD Net]