ETag tracking is possible in incognito mode
Reported by
stu...@anchev.net,
Jun 29 2018
|
|||||||
Issue descriptionChrome Version : 67.0.3396.62 (openSUSE Build) (64-bit) OS Version: URLs (if applicable) : https://lucb1e.com/rp/cookielesscookies/ Other browsers tested: Add OK or FAIL after other browsers where you have tested this issue: Safari: Firefox: FAIL IE/Edge: What steps will reproduce the problem? 1. Disable JS and cookies 2. Start browser in incognito mode 3. Visit https://lucb1e.com/rp/cookielesscookies/ 4. Watch "Number of visits" on the page 5. Refresh a few times 6. Restart browser (again in incognito mode) 7. Visit the URL again What is the expected result? Number of visits: 1 What happens instead of that? Number of visits > 1. This means tracking through ETags is possible even in incognito mode, even after restart (when supposedly data should have been flushed). Even after manually Please provide any additional information below. Attach a screenshot if possible. Ctrl+F5 refreshing always results in Number of visits = 2 (still not 1). It would be good if Chromium provides an option to block ETag header. This is a door to user privacy abuse.
,
Jun 29 2018
,
Jul 1
,
Jul 4
,
Jul 4
Thanks for the report! As far as I know, we're using an in-memory cache implementation in Incognito, so this definitely shouldn't happen. Nevertheless, the bug reproduces consistently. Upping priority to 1. I played with the website and observed the following: a) Regular mode: If I type something into the text field and reload the page, the text stays. b) Incognito mode: Same behavior. c) Regular->Incognito: If I type something into the text field and then open the page in Incognito, the text stays (this is the bug), but after the next reload, it's gone. d) Regular->delete->Incognito: If I type something into the text field, then delete cache, then open Incognito, the text is still there. I think that observations c) and d) imply that this can't be an issue with the HTTP cache being shared between regular mode and Incognito. If it was, reloading in c) would keep showing the text, and the deletion in d) would conversely result in not showing it at all.
,
Jul 4
+component:Cache Cache folks, do you have an idea what could be going on here? +component:Blink>Loader Shot in the dark - is it possible that we're not caching an ETag in the HTTP cache, but somehow an entire rendered page somewhere else and reuse it once in Incognito?
,
Jul 6
I looked into the code of this page and it seems like they are cheating:
else { // No etag was sent. We need to generate one. Normally you would derive this from randomness.
$etag = substr(sha1($secret . sha1($_SERVER["REMOTE_ADDR"]) . sha1($_SERVER["HTTP_USER_AGENT"])), 0, 18);
}
(https://github.com/lucb1e/cookielesscookies/blob/master/index.php#L15)
Chrome correctly deletes all etags when cache is deleted or incognito mode is used but the site just generates the sessionid from your ip adress and user-agent. This website shows that fingerprinting works but there is no bug in Chrome. It can also be observed in devtool that we send no etag after cache deletion.
There is a discussion on the bug tracker about this issue: https://github.com/lucb1e/cookielesscookies/issues/18
,
Jul 6
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by stu...@anchev.net
, Jun 29 2018