New issue
Advanced search Search tips
Starred by 4 users
Status: Verified
Owner:
Closed: Sep 6
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment
Android keyboard suggestions leak information typed in incognito window
Reported by joshz@google.com, Apr 8 2016 Back to list
Steps to reproduce the problem:
1. Type a specific string in an incognito window frequently (e.g. an acronym in a url)
2. Observe that when typing similar strings outside of Chrome (e.g. in hangouts) the string from the incognito window is suggested as a correction.

What is the expected behavior?
Any information typed in incognito mode should not go into the keyboard's dictionary or suggestion model

What went wrong?
The sensitive content typed in incognito windows was suggested outside of incognito window context. This shows that the information is available outside of incognito mode, and opens the potential for a user to accidentally leak something they'd like to be private.

Did this work before? N/A 

Chrome version: 49.0.2623.105  Channel: stable
OS Version: 6.0.1
Flash Version: 

This really might be more accurately characterized as a privacy bug, but crbug didn't have an option, so I selected "Security" out of the assumption that the chrome security team will know how to route this to an appropriate privacy team.
 
Comment 1 by joshz@google.com, Apr 8 2016
"crbug didn't have an option for privacy bugs", that is. (No radio button for it in the form.)
Comment 2 by kenrb@chromium.org, Apr 9 2016
Components: Privacy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Comment 3 by yukawa@chromium.org, Apr 11 2016
Just FYI: Here is a similar request for Chromium OS in Issue 311180.
Comment 4 by battre@chromium.org, Apr 13 2016
A feature request for incognito support for the Android keyboard APIs is tracked at b/28157942.
Project Member Comment 5 by sheriffbot@chromium.org, Jun 3 2016
Labels: Hotlist-Google
Project Member Comment 6 by sheriffbot@chromium.org, Jun 5
Status: Archived
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Available
Owner: changwan@chromium.org
Status: Verified
Starting from Chrome 59, Chrome for Android specifies IME_FLAG_NO_PERSONALIZED_LEARNING [1] when the browser is in incognito mode.  This allows the target IME to change the behavior as you requested.  See crrev.com/2901023002 and crrev.com/2905673002 for details.

> What is the expected behavior?
> Any information typed in incognito mode should not go into the keyboard's dictionary or suggestion model

While whether IME_FLAG_NO_PERSONALIZED_LEARNING is honored or not is still up to the active IME, in the Chrome side I think there is no remaining task. If the software keyboard you are using doesn't support IME_FLAG_NO_PERSONALIZED_LEARNING yet, please reach out the developer of that IME.

 [1]: https://developer.android.com/reference/android/support/v13/view/inputmethod/EditorInfoCompat.html#IME_FLAG_NO_PERSONALIZED_LEARNING

Labels: M-59
Sign in to add a comment