Security risk in Chrome with HTTPS Everywhere combined with Incognito
I recently noticed that when I log in to two Twitter accounts, one from Google Chrome’s main window and one from an Incognito one, the session would sometimes mysteriously “leak” to the main window. I suspected this may be caused by a faulty extension, and it seems I was right. The faulty extension is, ironically, HTTPS Everywhere by the Electronic Frontier Foundation.
It seems that cookies set in normal browsing mode cannot be seen in Incognito, but that (some?) cookies set in Incognito are visible to normal browsing mode. Unfortunately this means that your incognito sessions can leak data into your normal browsing sessions.
According to a 4 months old HTTPS Everywhere bug report, it’s a Chrome API bug: “We’re getting the onCookieChanged event, and the cookie we get in that event has a storeId of 0 regardless of where it comes from (Incognito or not). We then turn right around and set the secure flag on the cookie and issue a cookies.set(cookie). Since the storeId is still the default store, the cookie leaks to normal mode.“
The only other report I could find was a very minor Google+ post by Todd Vierling (with reproduction instructions) from more than half a year ago, and it seems like nothing was done to mitigate the issue since.
Reproduced in Chrome version: 28.0.1500.72 m, HTTPS Everywhere version: 2013.7.10