Google Beefs Up Privacy Rules for Chrome Extensions; Researcher Discovers New Loophole to Detect Incognito Mode

Google has updated its User Data Policy to beef up privacy rules for third-party Chrome extensions. The new move comes as a follow-up on the Project Strobe update that the search giant announced back in late May. The Project Strobe is aimed to impose a root-and-branch review of third-party developer access to user data. In a separate development, a security researcher has found a way to detect Incognito Mode without leveraging the FileSystem API loophole that Google is set to fix through Chrome 76 later this month.

As a result of the new changes to the User Data Policy designed for Chrome Web Store, all third-party Chrome extensions will be required "to only request access to the least amount of data". Google earlier encouraged developers to request access to the least amount of data, but the new change has come into force as a requirement for all extensions.

Google has also expanded the requirement of posting privacy policies for Chrome extensions. Previously, extensions that handle personal and sensitive user data were required to post a privacy policy.

"Now, we're expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use, and sharing of that data," Alexandre Blondin and Swagateeka Panigrahy of Chrome Product and Policy team noted in the blog post.

The two new changes to the User Data Policy of Chrome Web Store will go into effect starting October 15. Meanwhile, Google has provided guidelines for developers to make their extensions ready for the new change.

"After October 15, 2019, items that violate these updates to the User Data policy will be removed or rejected from the Web Store and will need to become compliant to be reinstated," the Chrome Product and Policy team members said.

The guidelines ask developers to either inventory the current permissions of their Chrome extensions or switch to alternatives that are "more narrowly scoped." A list of permissions used and the reasons behind their requirement should be included in the Chrome Web Store listing or within an about page section of the extension. Also, developers are required to request the new permission in the updated version of the extension if they expand the features of their extension or require new permission from end users.

For all extensions that handle "Personal or Sensitive User Data", including user-provided content and personal communications, the guidelines note that a privacy policy is mandatory. Google also asks developers to handle the user data securely, including transmitting it via modern cryptography.

Aside from the changes designed for Chrome extensions, Google is also bolstering the Incognito Mode of its Chrome browser by updating its FileSystem API. The change, which was announced last week, will be a part of Chrome 76 that's releasing on July 30. But ahead of the formal release, security researcher and PhD student Vikas Mishra claims to have found another loophole that makes the Incognito Mode trackable.

The new loophole has been spotted in the Storage Quota Management API that is designed to let Web apps understand how much temporary storage space they can use on the browser and how much of the allotted space remains available.

The researcher explains that in the regular browsing mode, a Web app can use a maximum of 1GB, which is 50 percent of the total available space available to all Web apps. When switched to the Incognito Mode, the storage allotment reduced to a maximum of 120MB. Now, the researcher says that for getting 120MB of storage quota in non-Incognito Mode, the Web app should be used on a system with a 2.4GB hard drive that is not common nowadays.

It is, thus, safe to presume that developers would be able to track the status of the Incognito Mode on Chrome browser if a Web app reports only having up to 120MB of allocated storage space using the Storage Quota Management API.

However, it is worth mentioning here that developers leveraging the loophole within the Storage Quota Management API would only be able to detect whether a user is on the Incognito Mode or using the regular browsing mode. This means the reported flaw won't provide any access to user data or browsing patterns.