Researchers find leaks in private browsing modes
Private browsing modes may not be as secure as many assume, according to a new study.
The four main browsers – Firefox, Internet Explorer, Chrome and Safari – leak data in different ways while in private mode, according to a paper by researchers at Stanford and Carnegie Mellon University, set to be delivered next week at the Usenix security conference.
First introduced in Safari 2 in 2005, private modes keep the browser from storing history, cookies and other session data.
The researchers found that while in private mode the browsers store URLs, links and even text from a page in a PC’s swap file, so skilled attackers could find out which sites were visited during a browsing session.
“This experiment shows that a full implementation of private browsing will need to prevent browser memory pages from being swapped out,” the study said. “None of the mainstream browsers currently do this.”
Add-ons’ source code is not subject to the same rigorous scrutiny that browsers are subjected to
Extensions and add-ons were another area of concern. “The developers of these add-ons may not have considered private browsing mode while designing their software, and their source code is not subject to the same rigorous scrutiny that browsers are subjected to,” the researchers noted. Because of this, IE and Chrome disable add-ons in private mode, but Firefox lets them keep working.
While such attacks would require the hacker to have access to the computer, privacy problems can also occur from the web side as well.
Browser makers warn that private mode won’t keep users from being tracked across the web, but the study suggested some improvements could still be made. Safari, for example, makes public cookies available in private mode, making it easier to uncover the identity of users who are trying to keep their sessions secret.
It’s also possible for websites to uncover if a user is in private mode with a simple hack by looking at how the browser colours the URL, the study said. If the browser marks it to display as unvisited, the user has likely opted for private mode.
Not only shopping
That flaw has already been fixed in Firefox and Chrome, but not before letting the researchers uncover some not very surprising stats about why people use private modes in browsers, with twice as many opting for privacy when looking at porn sites than for buying gifts.
“We found that private browsing was more popular at adult web sites than at gift shopping sites and news sites, which shared a roughly equal level of private browsing use,” the report said. “This observation suggests that some browser vendors may be mischaracterising the primary use of the feature when they describe it as a tool for buying surprise gifts.”
Safari users were the most likely to use private browsing mode. The researchers said this was possibly because Safari has the most subtle design, while the other browsers open up a fresh window and make it very clear the browser is in private mode. “We expect that hiding the visual indicator causes users who turn on private browsing to forget to turn it off,” the study said.