Skip to navigation
Latest News

Researchers find leaks in private browsing modes

Chrome private browsing

By Nicole Kobie

Posted on 6 Aug 2010 at 10:18

Private browsing modes may not be as secure as many assume, according to a new study.

The four main browsers – Firefox, Internet Explorer, Chrome and Safari – leak data in different ways while in private mode, according to a paper by researchers at Stanford and Carnegie Mellon University, set to be delivered next week at the Usenix security conference.

First introduced in Safari 2 in 2005, private modes keep the browser from storing history, cookies and other session data.

The researchers found that while in private mode the browsers store URLs, links and even text from a page in a PC’s swap file, so skilled attackers could find out which sites were visited during a browsing session.

“This experiment shows that a full implementation of private browsing will need to prevent browser memory pages from being swapped out," the study said. "None of the mainstream browsers currently do this.”

Add-ons' source code is not subject to the same rigorous scrutiny that browsers are subjected to

Extensions and add-ons were another area of concern. "The developers of these add-ons may not have considered private browsing mode while designing their software, and their source code is not subject to the same rigorous scrutiny that browsers are subjected to," the researchers noted. Because of this, IE and Chrome disable add-ons in private mode, but Firefox lets them keep working.

While such attacks would require the hacker to have access to the computer, privacy problems can also occur from the web side as well.

Browser makers warn that private mode won't keep users from being tracked across the web, but the study suggested some improvements could still be made. Safari, for example, makes public cookies available in private mode, making it easier to uncover the identity of users who are trying to keep their sessions secret.

It’s also possible for websites to uncover if a user is in private mode with a simple hack by looking at how the browser colours the URL, the study said. If the browser marks it to display as unvisited, the user has likely opted for private mode.

Not only shopping

That flaw has already been fixed in Firefox and Chrome, but not before letting the researchers uncover some not very surprising stats about why people use private modes in browsers, with twice as many opting for privacy when looking at porn sites than for buying gifts.

“We found that private browsing was more popular at adult web sites than at gift shopping sites and news sites, which shared a roughly equal level of private browsing use,” the report said. “This observation suggests that some browser vendors may be mischaracterising the primary use of the feature when they describe it as a tool for buying surprise gifts.”

Safari users were the most likely to use private browsing mode. The researchers said this was possibly because Safari has the most subtle design, while the other browsers open up a fresh window and make it very clear the browser is in private mode. “We expect that hiding the visual indicator causes users who turn on private browsing to forget to turn it off,” the study said.

Is your business a social business? For helpful info and tips visit our hub.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

“This observation suggests that some browser vendors may be mischaracterising the primary use of the feature when they describe it as a tool for buying surprise gifts.”

I'm not sure MS is brave enough to advertise a porn browser. Could make for a scary advert if Balmer is involved.

By jamesyld on 6 Aug 2010

Private browsing modes are not going to go anywhere if they do things like disable add-ons or don't mark up visited sites (contrary to the HTML specification!)

Somebody has to decide whether their private mode is designed to be private
(a) from outside (in which case the PC can store cookies so long as they can't be seen)
or (b) to a subsequent user of the PC (in which case the PC can store cookies so long as they vanish after the browser is closed)
or (c) totally private to anyone including the current user. (Why???)

I did try using Firefox's private mode when it first appeared but rapidly lost interest when I found it was determined to keep secret from me what I'd just done, so I couldn't tell where I was up to in a list of a dozen links to be visited because I hadn't visited any of them it said!

Until someone works out what the modes are to be used _for_ then their take-up will be limited.

By AdrianB on 6 Aug 2010

"I'm not sure MS is brave enough to advertise a porn browser"

This offbeat Microsoft ad nearly did:
http://www.youtube.com/watch?v=xB9fhjnJcB0

Not for the faint-hearted.

By pbryanw on 6 Aug 2010

Swap file?

"The researchers found that while in private mode the browsers store URLs, links and even text from a page in a PC’s swap file"

In other words the browser is running. Why does it matter that's in the swap file? If you're in a position to examine the swap file you might as well just look at the screen to see what website is displayed.

By peterm2k on 11 Aug 2010

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.