New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 14 users

Issue metadata

Status: Assigned
Last visit > 30 days ago
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , All , Chrome , Mac
Pri: 3
Type: Bug

Sign in to add a comment

Issue 588766: Security: Incognito Mode Detection via "Logic" Flaw In Chrome Extensions

Reported by, Feb 22 2016

Issue description

A web page is able to detect if the user is using Incognito mode or not, using a logic "flaw" of chrome extensions.
As you know, extensions don't work on Incognito mode, unless you allow them to (in the chrome://extensions/ page).
In addition, when you install Chrome there are a few default extensions that comes with it. One of them is Google Docs Offline.
Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi) has a web_accessible_resource - page_embed_script.js.
This resource can be loaded from a local web, using the simple <script src=""></script> tag.

But, when a user is surfing on incognito mode, the load of this default js file is being blocked, with the error:
chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js net::ERR_ADDRESS_UNREACHABLE

So, all we have to do is try loading this local script, and put an 'onerror' event to detect if the user is on incognito or not.

This is very exploitable since the extension I am using is pre-installed on every version of chrome.

Watch this private PoC video here:

Chrome Version: I am using the latest, but this is relevant among all versions.
Operating System: I am using 10 x64, but I have tested on 7 x86 and x64.

1. On incognito mode, create a <script src=""> tag to a location of a chrome-extension web_accessible_resource, such as a .js file.
2. Put an onerror event that will trigger if there will be a problem loading the extension's file.
3. Surf on incognito
4. And boom - you are now detected since the extension is disabled in incognito by default.
5. You can watch this private (for your eyes only) PoC video here:

No crashes were detected.

Comment 1 by, Feb 23 2016

Components: UI>Browser>Incognito
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
I don't think incognito mode makes the guarantee that it's undetectable to sites. See and

I'll leave this to incognito folks to triage just in case.

Comment 2 by, Feb 24 2016

Components: Platform>Extensions Privacy
Incognito shouldn't be detectible ideally. The bug like this is to be fixed.

Comment 3 Deleted

Comment 4 by, Feb 24 2016

@2 Hi, I would like your opinion about the severity of this issue, since this directly threats user's privacy.

Comment 5 by, Aug 9 2016

Devlin: assigning to you if you don't mind. Looks similar to bug 448002, and directly relevant to bug 588766.

Comment 6 by, Aug 9 2016

Labels: OS-All
Status: Assigned (was: Unconfirmed)

Comment 7 by, Aug 10 2016

Err, I meant "directly relevant to bug 139592"

Comment 8 by, Aug 10 2016

This is a well-known aspect of web accessible resources, and is even documented [1].  If an extension exposes any web accessible resources, it means that its presence can be determined.  In a perfect world, yes, we would change this, but it's unclear when or if that can happen.

It's also not an excellent indication of incognito or not - many users don't have the drive extension installed, and some who do have it enabled incognito - in both cases, the conclusion drawn here would be incorrect.

IMO, the best fix here would be for drive to remove the web accessible resource.  I don't think there's really any need for it.  James, do you have a contact on the drive team that could look into this?


Comment 9 by, Aug 17 2016

Yep, I'll kick off a thread with the Drive folks about this.

Comment 10 by, Feb 9 2018

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
Revisiting old bugs.  jawag@, did the thread with the drive folks ever go anywhere?

Comment 11 by, Feb 23 2018

This vulnerability is now being used for bad purposes. Navigating to gives me the message:


We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Comment 12 by, Feb 23 2018

RE #11: Actually, I believe they're using a different Incognito detection mechanism, see

The article's script has detections for the private mode of each browser; detects = [ ["Webkit RequestFileSystem", isWebkitRequestFileSystem, detectWebkitRequestFileSystem], ["Firefox IndexedDB", isFirefoxIndexedDB, detectFirefoxIndexedDB], ["IE10+ / Edge", isIE10PlusOrEdge, detectIE10PlusOrEdge], ["Safari LocalStorage", isSafariLocalStorage, detectSafariLocalStorage]];

Comment 13 by, Feb 23 2018

#12 - right, the same here - - :(
The other bug is private, so I cannot comment there.

Comment 14 by, Feb 23 2018

James, any updates here?  (See comments 8, 9, 10)

Comment 15 Deleted

Comment 16 by, Apr 20 2018

Components: Privacy>Incognito

Sign in to add a comment