|Android keyboard suggestions leak information typed in incognito window|
|Reported by email@example.com, Apr 8 2016||Back to list|
Steps to reproduce the problem: 1. Type a specific string in an incognito window frequently (e.g. an acronym in a url) 2. Observe that when typing similar strings outside of Chrome (e.g. in hangouts) the string from the incognito window is suggested as a correction. What is the expected behavior? Any information typed in incognito mode should not go into the keyboard's dictionary or suggestion model What went wrong? The sensitive content typed in incognito windows was suggested outside of incognito window context. This shows that the information is available outside of incognito mode, and opens the potential for a user to accidentally leak something they'd like to be private. Did this work before? N/A Chrome version: 49.0.2623.105 Channel: stable OS Version: 6.0.1 Flash Version: This really might be more accurately characterized as a privacy bug, but crbug didn't have an option, so I selected "Security" out of the assumption that the chrome security team will know how to route this to an appropriate privacy team.
Apr 8 2016,
"crbug didn't have an option for privacy bugs", that is. (No radio button for it in the form.)
Apr 9 2016,
Apr 11 2016,
Just FYI: Here is a similar request for Chromium OS in Issue 311180.
Apr 13 2016,
A feature request for incognito support for the Android keyboard APIs is tracked at b/28157942.
Jun 3 2016,
Jun 5 2017,
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Jun 6 2017,
Starting from Chrome 59, Chrome for Android specifies IME_FLAG_NO_PERSONALIZED_LEARNING  when the browser is in incognito mode. This allows the target IME to change the behavior as you requested. See crrev.com/2901023002 and crrev.com/2905673002 for details. > What is the expected behavior? > Any information typed in incognito mode should not go into the keyboard's dictionary or suggestion model While whether IME_FLAG_NO_PERSONALIZED_LEARNING is honored or not is still up to the active IME, in the Chrome side I think there is no remaining task. If the software keyboard you are using doesn't support IME_FLAG_NO_PERSONALIZED_LEARNING yet, please reach out the developer of that IME. : https://developer.android.com/reference/android/support/v13/view/inputmethod/EditorInfoCompat.html#IME_FLAG_NO_PERSONALIZED_LEARNING
|► Sign in to add a comment|