New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Verified
Closed: Sep 2017
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug

Sign in to add a comment

Android keyboard suggestions leak information typed in incognito window

Reported by, Apr 8 2016 Back to list

Issue description

Steps to reproduce the problem:
1. Type a specific string in an incognito window frequently (e.g. an acronym in a url)
2. Observe that when typing similar strings outside of Chrome (e.g. in hangouts) the string from the incognito window is suggested as a correction.

What is the expected behavior?
Any information typed in incognito mode should not go into the keyboard's dictionary or suggestion model

What went wrong?
The sensitive content typed in incognito windows was suggested outside of incognito window context. This shows that the information is available outside of incognito mode, and opens the potential for a user to accidentally leak something they'd like to be private.

Did this work before? N/A 

Chrome version: 49.0.2623.105  Channel: stable
OS Version: 6.0.1
Flash Version: 

This really might be more accurately characterized as a privacy bug, but crbug didn't have an option, so I selected "Security" out of the assumption that the chrome security team will know how to route this to an appropriate privacy team.

Comment 1 by, Apr 8 2016

"crbug didn't have an option for privacy bugs", that is. (No radio button for it in the form.)

Comment 2 by, Apr 9 2016

Components: Privacy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 3 by, Apr 11 2016

Just FYI: Here is a similar request for Chromium OS in Issue 311180.

Comment 4 by, Apr 13 2016

A feature request for incognito support for the Android keyboard APIs is tracked at b/28157942.
Project Member

Comment 5 by, Jun 3 2016

Labels: Hotlist-Google
Project Member

Comment 6 by, Jun 5 2017

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit - Your friendly Sheriffbot
Status: Available (was: Archived)
Status: Verified (was: Available)
Starting from Chrome 59, Chrome for Android specifies IME_FLAG_NO_PERSONALIZED_LEARNING [1] when the browser is in incognito mode.  This allows the target IME to change the behavior as you requested.  See and for details.

> What is the expected behavior?
> Any information typed in incognito mode should not go into the keyboard's dictionary or suggestion model

While whether IME_FLAG_NO_PERSONALIZED_LEARNING is honored or not is still up to the active IME, in the Chrome side I think there is no remaining task. If the software keyboard you are using doesn't support IME_FLAG_NO_PERSONALIZED_LEARNING yet, please reach out the developer of that IME.


Labels: M-59

Sign in to add a comment