Google has revealed that the Incognito Mode in its Chrome browser has a loophole “that has allowed sites to detect people who are browsing”.
The good news is that the company’s explanation of the problem says that the result of the loophole is not identification of individuals. Rather it means sites can detect those who visit while using Incognito Mode.
But the outcome is still bad because, as Google explains, “Chrome’s FileSystem API is disabled in Incognito Mode to avoid leaving traces of activity on someone’s device. Sites can check for the availability of the FileSystem API and, if they receive an error message, determine that a private session is occurring and give the user a different experience.”
Google doesn’t see a privacy problem with that. But it does see a business problem because it reckons that the loophole has often been used “to intercept Incognito Mode sessions and require people to log in or switch to normal browsing mode, on the assumption that these individuals are attempting to circumvent metered paywalls.”
Version 76 of Chrome, due on July 30th, will therefore change the behaviour of the FileSystem API “to remedy this method of Incognito Mode detection.” Future versions of Chrome will continue to foil other methods of Incognito Mode detection.
Google reckons the change will help business, provided they devise a strategy to handle users that try to get around their paywalls or registration requirements.
“Our News teams support sites with meter strategies and recognize the goal of reducing meter circumvention, however any approach based on private browsing detection undermines the principles of Incognito Mode,” the post concludes. “We remain open to exploring solutions that are consistent with user trust and private browsing principles.”
In related news, Google has increased the value of payouts in its bug bounty program for Chrome. The maximum baseline reward amount has tripled, going from US$5,000 to $15,000. Nasty bugs can now score double the maximum reward: that;s now $30,000, up from $15,000.
The company has also set the bar higher to score the big rewards, by requiring "a reliable exploit that demonstrates that the bug reported can be easily, actively and reliably used against our users." Details of the new bounties are here.