Simon WillisonJul 9, 2024

It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage

You can test it out by pasting the following into your Chrome DevTools console on any Google page:

chrome.runtime.sendMessage(
"nkeimhogjdpnpccoofpliimaahmaaome",
{ method: "cpu.getInfo" },
(response) => {
console.log(JSON.stringify(response, null, 2));
},
);

More notes here: https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/

hangout_services/thunk.js

It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, …

Simon Willison’s Weblog
Show threadDanielJul 9, 2024
@simon Interesting! Can this perhaps be used for fingerprinting? 👀
Show threadSimon Willison
@djh yeah, I imagine the fingerprinting risk is why they don't expose this functionality to everyone else
Jul 9, 2024 at 6:01pmWeb
Show threadZachary Wander Jul 9, 2024
@simon @djh fingerprinting for me, not for thee
Show threadJeff TriplettJul 9, 2024
@simon @djh I thought it was already established that Google fingerprints you via your account. I think making it private to them keeps others from using it for fingerprinting, but I apologize if I'm missing the point.
Show threadTimo ZimmermannJul 9, 2024

@webology @simon @djh I think the interesting part will be when Europe looks at this and invokes the DMA which should AFAIK apply here.

If this would be the case and if they would rule to open it up for everyone not just the company who already got all your data will be using it. :/

Show threadSite Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Jul 9, 2024
@fallenhitokiri Or google could just remove their backdoor.
Show threadTimo ZimmermannJul 10, 2024
@SiteRelEnby while I’d obviously prefer that I honestly don’t see Google make an ethical decision at this point :/
Show threadstefanJul 9, 2024
@simon But why would Google themselves need it for fingerprint given that the control the whole browser? Or do you mean "they need it for something else but it could be used for fingerprinting by others"? @djh
Show threadChristopher SchmidtJul 11, 2024
@stefan @simon @djh this is what I would mean by this statement, yeah.