Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Flaw in Chrome for iOS 7 Reveals Incognito Searches

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,511
13,146



Chrome's latest update, which added support for iOS 7, also included a significant flaw that was discovered by design firm Parallax (via TechCrunch). When using the search or address bar in an Incognito window within the app, browsing history will be saved and shared with the standard Google.com browser.

Google's Incognito mode is designed to keep searches for sensitive information private, but as detailed in the video, searches will be displayed when the standard Google.com browser is accessed. The flaw can be replicated with the following steps:

- Open an Incognito window
- Enter a search term in the address bar and hit enter
- Open a non-Incognito window
- Navigate to Google.com
- Tap the search box on the page to see Incognito searches

TechCrunch contacted Google and learned that there is no fix for the issue, as it is an "unfortunate but unavoidable loophole that comes with building a browser for iOS. The company cites its Incognito support note, which does address the issue.
On Chrome for iOS, due to platform limitation regular and incognito* tabs share HTML5 local storage, which is typically used by sites to store files on your device (client-side caching) or to provide offline functionality. This means the same sites can always access their data in this storage in both regular and incognito* tabs. Incognito* tabs will still keep browsing history and cookies separate from regular tabs, which are cleared once those tabs are closed.
Apple's default Safari browser does not appear to have the same issue, accurately hiding searches made in Private mode.

Article Link: Flaw in Chrome for iOS 7 Reveals Incognito Searches
 

PracticalMac

macrumors 68030
Jan 22, 2009
2,809
5,089
Houston, TX
TechCrunch contacted Google and learned that there is no fix for the issue, as it is an "unfortunate but unavoidable loophole that comes with building a browser for iOS. The company cites its Incognito support note, which does address the issue. Apple's default Safari browser does not appear to have the same issue, accurately hiding searches made in Private mode.

Someone is dropping the ball.
 
Comment

Rocco83

macrumors 6502
Jul 3, 2011
275
309
Ohio
Hey everyone, Google here. We screwed something up in our browser. Apple's fault, not it!
 
Comment

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,049
There are "flaws" in the Windows, Chrome OS, Android, and Mac version of Chrome also that allow the search history and more to be pulled from a computer. It's not just an iOS thing.
 
Comment

MartinAppleGuy

macrumors 68020
Sep 27, 2013
2,246
887
Hey everyone, Google here. We screwed something up in our browser. Apple's fault, not it!

Your not Google; I'm Google. Sorry we screwed up as our programming skills appear to be lacking with mobile apps. I would like to say it won't happen again but it probably will.

We can all play Google; and Google wouldn't just blame it all on Apple.
 
Comment

seamer

macrumors 6502
Jul 24, 2009
426
164
I wouldn't be so quick to say "Safari is able to do it." Simply due to the fact Apple doesn't have to follow its own submission process, and their apps can have certain privileges that third-parties cannot.
 
Comment

rdlink

macrumors 68040
Nov 10, 2007
3,226
2,434
Out of the Reach of the FBI
"TechCrunch contacted Google and learned that there is no fix for the issue, as it is an "unfortunate but unavoidable loophole that comes with building a browser for iOS. The company cites its Incognito support note, which does address the issue. Apple's default Safari browser does not appear to have the same issue, accurately hiding searches made in Private mode."

Translation: We think we're smart enough to use the "It's iOS, not us." Trojan Horse to continue to surreptitiously gather information on people who are naive enough to trust us.
 
Comment

keysofanxiety

macrumors G3
Nov 23, 2011
9,534
25,271
I definitely don't trust Google as much as I feel I did. Back when Google were really taking off, they were known for a genuinely good search engine. They were much, much smaller back then, compared to how they are now.

And yet their searches these days are dominated with Google adwords, and their featured adverts. All money making machines that they never had way-back-when, a time when arguably they needed more money. It just seems like they've lost their roots a little, and it's disappointing.

But then I try using other search engines on my computer such as Bing, and it just feels wrong. Nothing against Bing, but I just can't bring myself to 'Bing' my question.

Maybe I'm alone in this sentiment … but I'm worried it's only a matter of time until a huge Google privacy scandal is revealed.
 
Comment

willdude

macrumors regular
Jul 16, 2010
182
120
I wouldn't be so quick to say "Safari is able to do it." Simply due to the fact Apple doesn't have to follow its own submission process, and their apps can have certain privileges that third-parties cannot.

Indeed, this would seem to be exactly the case, since Apple doesn't let third-party apps restrict HTML5 local storage, which is what Google and other sites use for this search history.

It's also been like this since at least iOS 6, so it's weird that it's suddenly getting all this coverage.
 
Comment

BC2009

macrumors 68000
Jul 1, 2009
1,978
352
[previous comment removed - nevermind]

This is not related to a Objective C UI control, but rather to an HTML Text input element which Safari's engine renders. Google may not have a hook to intercept and filter content for auto-complete.
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
That's infuriating!

That's my personal information, intended ONLY for the eyes of Google, Google employees, Google advertisers, Google partners, and Google long-term data storage.

I could swear that other non-Apple browsers get this right, but I haven't used any for long.

It sounds trivial, if nothing else, to simply "flag" items in the history as being private, and simply NOT display them in a non-private tab. "No fix"?? OK, so you can't use separate storage (maybe) but you CAN still note the difference between private an non-private searches!

Or simply don't store the private ones at all, if that's the quickest workaround. I'm sure there are many ways, ideal or not.
 
Comment

redscull

macrumors 6502a
Jul 1, 2010
785
739
Texas
Google is flat out full of bologna. This is their bug, irrefutably.

Sure, it's true that local storage is shared between incognito and normal modes, but it's also trivial to prefix all your storage keys with "incognito-" while reading/writing in incognito mode, and ensuring that normal mode never reads/writes storage keys prefixed with "incognito-".

Would your sensitive data still be on your system? Yeah, chrome would have to periodically clear all "incognito-" prefixed keys' values to resolve that. But at least these sensitive values would never be displayed via the browser. Only a data miner with access to your file system could get at them.

This kind of fix could be performed by a novice engineer. It is an embarrassing bug, not Apple's fault. Not unavoidable.
 
Comment

bacaramac

macrumors 65816
Dec 29, 2007
1,415
80
Guess I don't see the big draw to not use iOS Safari. I think it works rather well . Guess it provides benefits to some, but I see no reason to stray from built in apps if you don't have to.
 
Comment

redscull

macrumors 6502a
Jul 1, 2010
785
739
Texas
Google already has every piece of sensitive data from incognito searches because you sent it to their server when you did the search! There is no reason they need to preserve that data on your system except for features that enhance your convenience.

It is a bug in their source code. They should fix it.
 
Comment

iSRS

macrumors 6502
Mar 2, 2010
433
194
I definitely don't trust Google as much as I feel I did. Back when Google were really taking off, they were known for a genuinely good search engine. They were much, much smaller back then, compared to how they are now.

And yet their searches these days are dominated with Google adwords, and their featured adverts. All money making machines that they never had way-back-when, a time when arguably they needed more money. It just seems like they've lost their roots a little, and it's disappointing.

But then I try using other search engines on my computer such as Bing, and it just feels wrong. Nothing against Bing, but I just can't bring myself to 'Bing' my question.

Maybe I'm alone in this sentiment … but I'm worried it's only a matter of time until a huge Google privacy scandal is revealed.

Not alone. I am right there with you. When I search for something, and get the first hit as an ad, and the second is the same link but bit an ad and just a search result.
 
Comment

Daveoc64

macrumors 601
Jan 16, 2008
4,072
86
Bristol, UK
I can't believe how badly people in this thread are willing to deny that Apple is at fault.

It's obvious that this is a problem with iOS, and it always has been. What shocks me most is that a security research company didn't think to check the product page for the feature they're accusing of having a security flaw before going to press!

As noted by redscull, there's absolutely no reason for Google to want this - it does not help them in the slightest.
 
Comment

iSRS

macrumors 6502
Mar 2, 2010
433
194
I have to say, regardless if it is Apple restricting something or not, who put the option to turn on Incognito mode, Apple or Google? The blame lies with them.

Oh, it was Google? Right. Apple's fault.

Note to Google. Send me the code. I'll fix it for you and have it submitted to Apple within the hour.

Too much work for you? Ok, here is the fix. REMOVE THE OPTION!!!!!

----------

I can't believe how badly people in this thread are willing to deny that Apple is at fault.

It's obvious that this is a problem with iOS, and it always has been. What shocks me most is that a security research company didn't think to check the product page for the feature they're accusing of having a security flaw before going to press!

As noted by redscull, there's absolutely no reason for Google to want this - it does not help them in the slightest.

See my post (#20 - right under yours)

Apple didn't put the option to put turn it on. Google did. Simple fix. If Google knows (their article implies they do) REMOVE THE OPTION.
 
Comment

Daveoc64

macrumors 601
Jan 16, 2008
4,072
86
Bristol, UK
See my post (#20 - right under yours)

Apple didn't put the option to put turn it on. Google did. Simple fix. If Google knows (their article implies they do) REMOVE THE OPTION.

As the browser itself and the support article state, the Incognito* feature on iOS does offer some privacy features.

It's not as good as the Incognito feature on other platforms, but it's better than nothing.
 
Comment

redscull

macrumors 6502a
Jul 1, 2010
785
739
Texas
I can't believe how badly people in this thread are willing to deny that Apple is at fault.
It is a bug in google's code. This is fact. I've been a professional developer since the mid 90s. I am extremely versed in how HTML's local storage works and have used it extensively. It's a very simple key=value persistence system. All google has to do to fix this bug is use different key names when browsing in incognito mode vs. normal mode. No one is forcing google to use any particular key names. They exist in their entirety in google's code.
 
Comment

Daveoc64

macrumors 601
Jan 16, 2008
4,072
86
Bristol, UK
It is a bug in google's code. This is fact. I've been a professional developer since the mid 90s. I am extremely versed in how HTML's local storage works and have used it extensively. It's a very simple key=value persistence system. All google has to do to fix this bug is use different key names when browsing in incognito mode vs. normal mode. No one is forcing google to use any particular key names. They exist in their entirety in google's code.

Your solution is not a good idea for a number of reasons.

The point of a mode like Incognito is to create a sandboxed environment.

It might also be possible to trick such a "flimsy" mechanism.

I don't care how well versed you are in development. If iOS has this issue, but no other platform does - Apple has a problem.

You cannot describe this as a bug. Incognito* mode is documented as functioning in this way. If people don't read what they're using, it's not a bug.
 
Comment

iSRS

macrumors 6502
Mar 2, 2010
433
194
As the browser itself and the support article state, the Incognito* feature on iOS does offer some privacy features.

It's not as good as the Incognito feature on other platforms, but it's better than nothing.

Then it is not Incognito Mode. It is something else.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.