Security: Chrome Incognito is caching previous sessions
Reported by
jtrajew...@gmail.com,
Jan 15 2018
|
||||
Issue descriptionNOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Google Chrome Incognito is saving previous session data after the window is closed. Background - I authenticated via Incognito to test something earlier in the day. Later this evening after I closed the Incognito hours ago - I went Incognito again to test something else and my old data was still being stored by Chrome (I knew this as I was still authenticated to Gmail). I was able to reproduce this (see video below) - I highlighted what was happening and tried several different ways to reproduce the issue. VERSION Chrome Version: 63.0.3239.132 (Official Build) (64-bit) + Stable Operating System: OSX 10.12.6 16G29 REPRODUCTION CASE I was able to close and open Google Chrome Incognito windows and have previous session data present itself (including authenticated accounts) See video - unlisted on youtube https://youtu.be/jGTDBA34Ofg
,
Jan 15 2018
This should only happen if there is a second incognito window somewhere because incognito state is deleted when all incognito windows are closed. Please check if that is the case.
,
Jan 15 2018
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-are-the-security-and-privacy-guarantees-of-Incognito-mode FWIW, the explanation in #2 is not well-understood and has been the source of all of the reports of this behavior I've seen. After confirmation, please dupe to Issue 722122 .
,
Jan 15 2018
Thank you for the quick response on this. I hope this isn't a bug. After completely closing Chrome - then trying to reproduce the issue, I was unable to do so. There is a possibility the explanation in #2 happened last night. If this is the case, then the explanation in #3 is also important here. To a typical user, why would one assume that if I had multiple Incognito tabs/windows open that they would all share the same cache until I closed all of the windows/tabs? The description of Incognito when one opens a new tab is: Chrome won’t save the following information: Your browsing history Cookies and site data Information entered in forms This is not true. Data is being saved in some form of Cache. I also understand this is somewhat of a feature so people can persistently use Incognito like a normal web browser. If that is the case, then I think the team should consider a feature in addition to the current Incognito called "isolated incognito". This feature could be buried in the UI (similar to how viewing website certificates was moved) as most users would not need to use this on the regular basis. Just some thoughts. Thank you again for quickly looking into this.
,
Jan 15 2018
Multiple Incognito windows share the same Incognito profile, same way as multiple regular windows share the same underlying persistent profile. From that perspective, it's consistent. Nevertheless, I agree that this is a common complaint, and that partitioning Incognito per browser window would be a more understandable user experience. Unfortunately, this is a significant architectural change to Chrome. In shorter term, we should probably think about a UI solution to remind users of this fact. +cc maxwalker@ FYI
,
Jan 15 2018
And yes, I think the Incognito tab peeking from behind the regular tab in your video confirms that this is inded issue 722122 . Let's move the discussion there then.
,
Jan 15 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by dominickn@chromium.org
, Jan 15 2018Labels: OS-Mac
Owner: msramek@chromium.org
Status: Assigned (was: Unconfirmed)