14 DAY TRIAL // Back in 2012, Google introduced Incognito Mode for its Chrome browser, a feature now present in all of its variants on Android, iOS, Mac, Linux, and Windows. The feature allows users to surf the Web without storing information about which sites they visit on their local computer.
Apparently, the Android version has a bug in its Incognito Mode implementation which allows some of the user's browsing history to be stored somewhere in its settings.
This bug was discovered by Reddit user notarower by accident, while trying to temporarily disable JavaScript in his browser.
Going into "Settings -> Site settings -> All sites," notarower found a log of all recent sites he had visited. Surprisingly for him, he found Reddit in the list, a site which he admitted to navigating only in incognito mode.
This intrigued him enough to investigate. The user tried to wipe his browsing history from the browser, but apparently that did not remove the browsing history from that section of the browser's settings.
Only by clearing Chrome data in Android's App Info page can the Incognito Mode data be removed
He eventually managed to clean out the records by going to Android's App Info page for Chrome, where he deleted all the app's data. Unfortunately, this solution cleared all his browser settings (logins, cookies, preferences), but with a clean browser he was now able to test his theory again, and discover that Chrome for Android does save "some" of the browsing history.
After further experiments, he found that Chrome in Incognito Mode stored a list of sites to which he granted permission to store data locally, access the camera, microphone, or to use fullscreen mode.
The Chrome bug is basically a bad implementation of the Incognito Mode, which instead of keeping these permissions separately from the other browsing session permissions, it bundles them together.
Since Google has been very careful with user privacy in the past, the bug will probably be fixed in upcoming versions, and permissions granted to websites while in Incognito Mode will be automatically deleted when the user closes his private browsing session.
User zxzyzd also made a proof of concept video for this bug:
