A newly found bug in Google Chrome for Android means incognito mode really isn’t as locked-down as it’s designed to be. Some sites you visit while using the privacy feature are still saved, and can be retrieved simply by opening the browser’s settings.
Google Chrome for Android has had incognito mode since February 2012. Here is Google’s official description of the feature: “If you don’t want Google Chrome to save a record of what you visit and download, you can browse the web in incognito mode.”
Yet Reddit user notarower this week discovered that some of the sites he only visits in incognito mode are easily viewable in the browser (Settings => Site settings => All sites). Even after hitting the “Clear browsing data” option, Chrome still lists the sites. The only way to wipe the list is to go to Chrome’s App Info section in Android’s settings and delete the app’s data. Unfortunately, doing so means you’ll lose everything, including saved logins.
We confirmed the bug ourselves on Android. “Site settings” does not exist in Chrome for Windows, Mac, Linux, nor iOS so the issue isn’t present on those platforms.
Another Reddit user posted a video of the bug in action:
So, why does this happen? It turns out that by default, “All sites” includes pages to which you have given Chrome permission to do something beyond just loading web content (access the camera or microphone, open a video in full screen, provide your location, and so on). Websites should ask for permission for these various tasks, and it’s perfectly okay for Chrome to keep track of them, but not if you’re doing this in incognito mode.
If this privacy issue seems concerning to you, there is good news. We have confirmed with a source close to Google that the bug has already been fixed in Chrome 46 for Android.
There is no firm date for when the new version will arrive, but given that Google releases browser updates every six weeks or so, and Chrome 45 arrived at the start of this month, we should see Chrome 46 in early- or mid-October.