Evan Andersen, an ECE student at the University of Toronto, has discovered a trivial bug in Nvidia GPUs that sometimes exposes the content of Google Chrome Incognito Mode sessions via other applications.

Mr. Andersen discovered the issue two years ago, when opening the Diablo III game. For a few seconds, as the game started and while resources were initiated, the game's loading screen presented him with a snapshot of his previous Google Chrome Incognito Mode (private browsing) session.

This surprised him very much, since Google advertises and describes Incognito Mode as a way to browse the Web in private via Chrome, and then delete all browsing data as soon as the Incognito Mode window is closed, removing any trace from the local computer.

GPU memory buffers aren't deleted between applications

According to Mr. Andersen, the "delete" part didn't happen, and after investigating the issue, he discovered that at fault were both the Nvidia GPU driver and Google Chrome itself.

A computer's GPU works by allocating (graphics-processing) memory to opened applications, like Chrome, in this case. As applications exit, the memory is re-added to the GPU's shared memory pool and then reallocated to another application.

As Mr. Andersen describes, Chrome did not delete the memory buffer before allocating it back to the shared memory, the Nvidia GPU driver didn't clear previously allocated memory, and neither did Diablo clear memory that was allocated to the game.

While Diablo can be excused because its developers might have thought that Nvidia uses the same (standard) memory management system employed by CPU RAM for years, both Nvidia and Google cannot.

Nvidia because clearing memory buffers is a fairly basic concept programmers learn early in their computer science education, and Google because allowing Incognito Mode data to survive outside its session is a big no-no when it comes to user privacy.

Both companies failed to fix the issue for the past two years

Mr. Andersen submitted bugs to both these companies two years ago, and both failed to fix the issue. Even worse, as Mr. Andersen explains, Google marked his bug report as a "won't fix" because "Google Chrome Incognito Mode is apparently not designed to protect you against other users on the same computer."

If true, this explanation comes in direct opposition to how Google currently describes Incognito Mode, a feature introduced to "browse the Internet in private without Chrome saving the sites you visit."

"This is a serious problem. It breaks the operating system’s user boundaries by allowing non-root users to spy on each other," Mr. Andersen explained. "It doesn’t need to be specifically exploited to harm users - it can happen purely by accident."

Of course, compared to two years ago, Google's stance on user privacy might have changed. Just this past September, a similar issue was also present in Google Chrome for Android, which failed to clear some of the user's browsing history. Google fixed the issue in its following release.