Mastodawn

Simon Willison Jul 9, 2024

It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage

You can test it out by pasting the following into your Chrome DevTools console on any Google page:

chrome.runtime.sendMessage(
"nkeimhogjdpnpccoofpliimaahmaaome",
{ method: "cpu.getInfo" },
(response) => {
console.log(JSON.stringify(response, null, 2));
},
);

More notes here: https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/

hangout_services/thunk.js

It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, …

Simon Willison’s Weblog

Show thread

Alesandro Ortiz 🇵🇷🏳️‍🌈Jul 9, 2024

@simon There's plenty of Google-only or $bigco special-case code in Chromium, unfortunately. IIUC they only implement things like this as last resort.

A lot of these predate modern Web APIs that provide access to the same data/functions, others are needed for complex auth stuff (like smartcards or zero-trust auth), others are needed by ChromeOS components for the OS to work. Many hardcoded allowlists are for third-party extensions by big companies for certain code paths.

Show thread

Magnus Ahltorp

@AlesandroOrtiz @simon But either it’s ok for general consumption, and then it should be allowed everywhere, or it’s not ok for general consumption, and then it shouldn’t be allowed for Google domains either.

Why should Google domains be treated differently when it comes to smartcard access? And why should Google get a pass on updating their code to newer APIs when everyone else is forced to?