Mastodawn

Eyck Jul 10, 2024

It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage

You can test it out by pasting the following into your Chrome DevTools console on any Google page:

chrome.runtime.sendMessage(
"nkeimhogjdpnpccoofpliimaahmaaome",
{ method: "cpu.getInfo" },
(response) => {
console.log(JSON.stringify(response, null, 2));
},
);

More notes here: https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/

hangout_services/thunk.js

It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, …

Simon Willison’s Weblog

Daniel Jul 9, 2024

@simon Interesting! Can this perhaps be used for fingerprinting? 👀

Simon Willison Jul 9, 2024

@djh yeah, I imagine the fingerprinting risk is why they don't expose this functionality to everyone else

@simon @djh fingerprinting for me, not for thee

Jeff Triplett Jul 9, 2024

@simon @djh I thought it was already established that Google fingerprints you via your account. I think making it private to them keeps others from using it for fingerprinting, but I apologize if I'm missing the point.

Timo Zimmermann Jul 9, 2024

@webology @simon @djh I think the interesting part will be when Europe looks at this and invokes the DMA which should AFAIK apply here.

If this would be the case and if they would rule to open it up for everyone not just the company who already got all your data will be using it. :/

Site Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Jul 9, 2024

@fallenhitokiri Or google could just remove their backdoor.

Timo Zimmermann Jul 10, 2024

@SiteRelEnby while I’d obviously prefer that I honestly don’t see Google make an ethical decision at this point :/

stefan Jul 9, 2024

@simon But why would Google themselves need it for fingerprint given that the control the whole browser? Or do you mean "they need it for something else but it could be used for fingerprinting by others"? @djh

Christopher Schmidt Jul 11, 2024

@stefan @simon @djh this is what I would mean by this statement, yeah.

Site Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Jul 9, 2024

@djh @simon Of course it can.

Rairii (bootloader unlocked, MSR_LE set)Jul 9, 2024

@simon does that mean other extensions that can modify data on *.google.com can also use that extension?

Wladimir Palant Jul 9, 2024

@Rairii @simon Yep, absolutely. Other extensions can simply request access to system.cpu API however, it isn’t the kind of permission that will cause alarms to go off.

skybrian Jul 9, 2024

@simon Good find! The next step will be to figure out how it’s used. On which websites is the extension called?

Frederik Braun �Jul 9, 2024

@simon Reminds me of my blog post about How Firefox gives special permissions to *some* domains. https://frederikbraun.de/special-browser-privileges-for-some-domains.html

How Firefox gives special permissions to some domains

How Firefox gives special permissions to some domains

Frederik Braun

AlexTECPlayz Jul 9, 2024

@freddy @simon Well, at least in Firefox's case it doesn't seem to give an unfair advantage to Mozilla or something.

alexanderadam Jul 9, 2024

@freddy @simon the Firefox features make sense though, don't they? 🤔

🍀Jul 9, 2024

@simon i can confirm this also works in chromium, where it is enabled in Arc Browser

Akkana Peck Jul 9, 2024

@ShadowJonathan @simon It didn't work for me in a chromium incognito window.

🍀Jul 9, 2024

@akkana @simon you need to do it on a google.com website

Akkana Peck Jul 9, 2024

@ShadowJonathan @simon I was on google.com. Not signed in, though; maybe it only works if you're signed in to a Google account? The error message is: Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage') at <anonymous>:1:16

That's from the console I get with from "Inspect" in the context menu, then Console. If I use the hamburger menu More Tools->Developer Tools console, I get: Uncaught TypeError: chrome.runtime.sendMessage is not a function at <anonymous>:1:16

@simon if that's not a #Govware #Backdoor than IDK what is...

#AllGAFAMsAreBad #AllGAFAMsAreEvil #PRISM #CloudAct

jmjm Jul 9, 2024

@simon isn't this just the "I agree to share usage metric" EUA we all clicked through? Or is this running even if we unselected that checkbox?

Luna Lactea Jul 9, 2024

@simon yucky

Alesandro Ortiz 🇵🇷🏳️‍🌈Jul 9, 2024

@simon There's plenty of Google-only or $bigco special-case code in Chromium, unfortunately. IIUC they only implement things like this as last resort.

A lot of these predate modern Web APIs that provide access to the same data/functions, others are needed for complex auth stuff (like smartcards or zero-trust auth), others are needed by ChromeOS components for the OS to work. Many hardcoded allowlists are for third-party extensions by big companies for certain code paths.

Magnus Ahltorp Jul 9, 2024

@AlesandroOrtiz @simon But either it’s ok for general consumption, and then it should be allowed everywhere, or it’s not ok for general consumption, and then it shouldn’t be allowed for Google domains either.

Why should Google domains be treated differently when it comes to smartcard access? And why should Google get a pass on updating their code to newer APIs when everyone else is forced to?

Yuki "neige d'aout" Hazuki 葉月膤 ❄️ 🏳️‍⚧️Jul 9, 2024

@simon There's a list of methods you can try here:

https://chromium.googlesource.com/chromium/src.git/+/main/chrome/browser/resources/hangout_services/thunk.js

Also looks like the list was bigger in previous versions

chrome/browser/resources/hangout_services/thunk.js - chromium/src.git - Git at Google

AlexTECPlayz Jul 9, 2024

@simon Hmm, the code doesn't do anything on Cromite (github.com/uazo/cromite), perhaps the extension is removed? Because the error I get is:
"VM68:1 Uncaught
TypeError: Cannot read properties of undefined (reading 'sendMessage')
at <anonymous>:1:16
(anonymous) @ VM68:1"

AlexTECPlayz Jul 9, 2024

@simon It's such a 'mundane' thing to have a built-in advantage over your competitors when you're working at Google...🤔

Who gives a fuck about fairness, amirite?

Knud Jahnke Jul 9, 2024

That's officially malware, right?

SpaceLifeForm Jul 9, 2024

I have no way to test this on desktop. /s

Does this misfeature exist on old chrome on Android?

I am guessing yes because likely Chrome always had a backdoor. But, maybe not.

Thor A. Hopland Jul 9, 2024

@simon Microsoft tried to warn us. They told us we'd be scroogled. Now look at us? We've all been scroogled...

Ah well.

Firefox
https://www.mozilla.org
and list of Searx instances
https://searx.space/
go brrr

Mozilla - Internet for people, not profit (US)

We’re working to put control of the internet back in the hands of the people using it.

Mozilla

maria Jul 9, 2024

@hopland @simon Mozilla telemetry, anyone?

Librewolf
https://librewolf.net
go brrr

LibreWolf Browser

A custom version of Firefox, focused on privacy, security and freedom.

Shadow06 Jul 9, 2024

@simon I use firefox compiled on Gentoo Linux :)

Julian Andres Klode 🏳️‍🌈Jul 9, 2024

@simon time to complain to the EU commission about their abuse of monopoly and power such that Google will force them to open access to those APIs to any site.

Liminal witch 🧙‍♀️ Sarah Jul 9, 2024

@simon Not knowing how '*' is implemented, I'm concerned that it might it used on other websites matching `*.google.com`, such as https://my.malevolence.site/.google.com.

shadowwwind Jul 9, 2024

@xgebi @simon usually extension permissions only affext the host name, so everything before the first /

Mauve 👁💜Jul 10, 2024

@xgebi The format used in the extensions system specifically checks against the hostname.

The source code is here: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/url_pattern/url_pattern.h;l=26?q=URLPattern&sq=&ss=chromium%2Fchromium%2Fsrc

Liminal witch 🧙‍♀️ Sarah Jul 10, 2024

@mauve thanks

jz.tusk Jul 9, 2024

I got worried, and then I remembered that I had stopped using Chrome.

Stewart X Addison Jul 9, 2024

@simon For what it's worth, Edge is sufficiently 'Chromed' that it does the same there too ...
Although on a non-google site it offers me "Explain Console errors by using Copilot on Edge"

Edan Osborne 🇺🇦🇵🇸♾️Jul 9, 2024

@simon Yet another reason why NOBODY SHOULD BE USING THAT MULTICOLOURED PIECE OF SHIT!

@simon This also appears to be present in @Vivaldi

Kelson Jul 9, 2024

@jsparknz @simon @Vivaldi I did some testing and found that you can disable it in Vivaldi by turning off the Google Meet support in Vivaldi's Privacy and Security settings.

https://notes.kvibber.com/@kelson/statuses/01J2CQHARWXZ957D8RJ2Z4NNRH

Mine was already turned off, but I don't know what the default is, since I installed it so long ago and don't remember what settings I changed at the time.

Post by Kelson, @[email protected]

@[email protected] @[email protected] @[email protected] @[email protected] AHA! I'm using Vivaldi's built-in ad blocker, not uBlock, and turning it off didn't make a difference. BUT There is a section in Vivaldi's Privacy and Security settings for Google Extensi...

notes.kvibber.com

@kelson @simon @Vivaldi Thank you for sharing that. I tried it out and turning it off works. It does seem to me something that should be off by default, though.

Hans-Cees 🍋🌲🦔🦦🐝🦋🐛🚅🇸🇳🇵🇾🇹🇬🇹🇲Jul 9, 2024

@simon Google signing : I am your backdoor man

Asta [AMP]Jul 9, 2024

@simon huuuuh. I wonder if Edge has an equivalent for Bing or MS domains?

(not that they’d technically need it, seeing as most people using Edge are also probably using Windows)

The Witch of Crow Briar Jul 9, 2024

@simon I’m old enough to remember when Microsoft got consent decree’d for this sort of thing. I suppose that’s a quaint idea these days.

Eli the Bearded Jul 9, 2024

All the more reason to move all Google services under *.google.com instead of dedicated domains like gmail.com, etc

Andy Davies Jul 9, 2024

@simon Not near a laptop ATM but does this CLI flag disable it --disable-component-extensions-with-background-pages

IME you can see most hidden Chrome extensions via chrome://system

jozefch Jul 9, 2024

@simon I'm just wondering how many things goes wrong on modern websites, if I set "*.google.com" and affiliated sites in Blocklist of my opnsense router 🤔

Google really belongs to the same category, like facebook and chinese toktik 😂

Tritz Jul 9, 2024

@simon for real, shut down that company... Too much control of the market. They literally can do whatever they want and people are pretty much forced to go along with it, because it's way too embeded in everyday tasks.

Silvenga Jul 9, 2024

@simon whoa, didn't Microsoft get in trouble with hidden apis in the 90s? (although, Apple has a bunch now too... Ugh)

Old Man Jul 9, 2024

@simon
I've been slowly moving away from corporate software for just this reason

Demiurg Jul 9, 2024

@simon Yes, works on chrome on Google pages. Fascinating! Thank you for sharing this!

Jim Donegan 🎵 ✅Jul 9, 2024

That's a bit of a shocker. Neat technique though.

gudenau Jul 9, 2024

@simon Microsoft did this too, I hope Apple and Mozilla aren't doing it too...

Claudius Jul 9, 2024

@simon Interesting: ungoogled chromium (top) does not have the API, but regular chromium (bottom) _has_ it, too!

Steffo (moving)Jul 9, 2024

@simon Seems like this is happening on @Vivaldi as well; can you folks have a look at it?