Wordle continues to puzzle millions of us at our breakfast tables and during our daily commutes. But beneath its simplicity is a stark warning over the way we are secretly tracked across the internet—one that is immediately exposed by this very simple yet very effective way to cheat without getting caught.
Let’s start with the basics. What sets Wordle apart is its play once a day limit—once you’ve blown your six guesses, that’s game over for 24-hours. This is done via web cookies, of course. Your browser identifies you when you return to Wordle, automatically displaying your last attempt at that day’s puzzle—winning or otherwise. That same tracking enables Wordle to maintain your stats.
This cookie ecosystem drives internet advertising, linking users to data brokers and commerce sites. If you visit an online clothes store and add items to your basket before leaving the site, you can return to that same basket even if you’re not a registered user of the site. That’s fairly uncontroversial. What is much worse, though, is cross-site tracking. That’s when you leave the clothes store and find another clothes store advertising similar items to you on Facebook later that day.
Different browsers take different approaches to these tracking cookies—among the most popular browsers, Apple’s Safari is best out of the box and Google’s Chrome is the worst, no surprise there. But what is surprising is what happens when you actively select private browsing.
You can beat third-party cookie tracking by simply selecting private or incognito browsing on your phone or computer—all the main browsers offer this as an option. But beware, not all private browsing operates in the same way, with surprising and potentially dangerous privacy implications.
First to the simple Wordle cheat. If you want to maintain your streak, then you need to run Wordle in a normal, non-private browser session. But you can also open a private window in parallel. You can then open another instance of Wordle, giving yourself unlimited guesses, which you can then plug into your usual Wordle window when you find the correct answer.
You can tab between your normal Wordle tab and your private alternative easily, enabling your to try more alternatives. You can even open an an anagram solver in the same private browsing session if you want, making life even easier. And you can do all this without leaving a trace.
Once that private browsing session is exited, all traces of those tabs—the Wordle sessions, the anagram solver, and anything else you’ve opened, will be erased. If you open up a new private browsing session, it will be as though you’re visiting for the first time—ever. All cookies and data and browsing history will have been erased. But the use of that word “session” is critical.
In Apple’s Safari, when you select private browsing each tab is sandboxed. That means, as you’d expect, that no cookies can be tracked from one tab or window to another. You can easily see this by opening multiple Wordle tabs at the same time with different guesses (as below).
But Safari is the only one of the four major browsers to work in this way. Chrome, Edge and even Firefox maintain your cookies until you close every one of the private browsing tabs or windows you have opened. Again you can easily see this, because each time you open a new instance of Wordle, it will display the same private browsing Wordle session from that day, just like a normal session.
Clearly, this doesn’t matter with Wordle. But in a world where many of us have moved to private browsing by default, and where we often maintain countless open tabs, it’s not a good look, especially given that most people are totally unaware of this. Even my STC colleagues were surprised. It also means, of course, that with Safari you can open multiple private tabs and enjoy unlimited guesses. With the others, you can only have another six guesses until you close all your private tabs.
This isn’t a flaw—the browsers are open about this and are working as advertised. But in my view, it’s buried too deeply in the small print for something this important. Google explains that in incognito mode Chrome won’t save your browsing history, your cookies and site data, information that you entered in forms and permissions that you give websites,” but only “once you exit all your incognito browsing windows.” Put even more simply, it acknowledges that “if you have an incognito tab open and you open another one, your private browsing session will continue in the new tab.”
Firefox explains that “cookies set in private windows are held temporarily in memory, separate from regular window cookies, and discarded at the end of your private session (after the last private window is closed).” And Microsoft that Edge will “clear browsing history, download history, cookies and other site data, cached images and files, passwords, autofill form data, site permissions and hosted app data when you close all InPrivate windows.”
Contrast this with Apple. “Browsing initiated in one tab,” it assures, “is isolated from browsing initiated in another tab, so websites you visit can’t track your browsing across multiple sessions.”
As ESET’s cyber guru Jake Moore warns, “the amount of personal data tracked from within browsers is quite astonishing, but more worrying is that very few people fully understand this or even care. Private browsing is often thought of as completely private, but what it does is just flush out any local data that would otherwise be stored on the device in normal browsing.”
Last year, researchers Tommy Mysk and Talal Haj Bakry warned that this privacy vulnerability even opens up a potential cross-site tracking risk: “third-party iframes (such as Twitter and Facebook embeds) can under certain conditions still track users.”
“This data is kept until the session is closed or even until the computer is restarted in some occasions as it can be located in the RAM,” cautions Moore. “Digital forensics software can locate a lot of data even when in private browsing mode if a computer hasn’t been turned off.”
Any private browsing on any major browser is much better than normal browsing—the blocking of nasty third-party tracking cookies is the primary benefit. But unlike Safari, the other leading browsers have compromised privacy for a “remember me” usability solution that maintains session data until every tab is closed down. That’s ok if you use private browsing by exception, and then shut it down. But it’s much more of an issue if you maintain open tabs and never close the entire session down.
And so, back to Wordle. If you are minded to use this method to cheat, remember that even if you close the dodgy Wordle tab you’re operating behind the scenes, someone opening private browsing on your device and going to Wordle will catch you unless you close all your private tabs or use Safari (of the leading browsers). It’s the same risk if you use multiple devices—reach for your iPad as a backup, but remember you’ll get caught if someone else uses the same device. Maybe this article should have been titled “how not to get caught cheating at Wordle” instead.