Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

fin , 4 days ago

“Don’t be evil”

atrielienz , 1 day ago

Not anymore.

trolololol , 4 days ago

This that and the article are very light on details, but I couldn’t find an article deeper in details

My laptop, that I own and runs Linux that I installed, has chrome in it. I’m order to log into Gmail for work, it installs an extension that is capable of telling Gmail if my disk is encrypted. I know because you get an error message until my disk was actually encrypted. It was a big surprise to me, and I wonder if this is done by the same piece of code.

Btw would there be a way to do virtualization through perhaps docker or flat pack or chroot that can isolate chrome in a sandbox and prevent it from a) reading and writing files anywhere on any disk and b) get other data such as CPU, disk encryption etc?

Andromxda OP , 4 days ago

My laptop, that I own and runs Linux that I installed, has chrome in it. I’m order to log into Gmail for work, it installs an extension that is capable of telling Gmail if my disk is encrypted. I know because you get an error message until my disk was actually encrypted. It was a big surprise to me, and I wonder if this is done by the same piece of code.

That’s strange, I’ve never heard of that before

Btw would there be a way to do virtualization through perhaps docker or flat pack or chroot that can isolate chrome in a sandbox and prevent it from a) reading and writing files anywhere on any disk and b) get other data such as CPU, disk encryption etc?

There are some isolation mechanisms on Linux like Firejail or Bubblewrap. The latter is used by Flatpak to sandbox applications. These are rather weak though, and Flatpak weakens the security of bwrap further. By default, Flatpak application permissions are also set in a Manifest file, which is created by the maintainer of the package. To get more control over your Flatpak sandbox, you need to use an application like Flatseal.

Docker (or containers in general) aren’t meant for isolation/sandboxing, but this approach would also work. I would create a container using Distrobox or toolbx, and install Chrome inside the container.

This will not prevent Chrome from getting your CPU information though. To protect against that, you would have to use a virtual machine (and spoof the your CPU model if you want to hide that from Chrome).

beeb , 4 days ago

Sounds easier to switch to another browser at that point

Andromxda OP , 4 days ago

OP apparently needs Chrome to log into an enterprise GSuite account, which has specific requirements, that are enforced by Chrome’s enterprise policy system. I don’t think this works in Chromium.

beeb , 4 days ago

Oh I didn’t catch that my bad. I hope they get a work computer where this kind of stuff doesn’t interfere with private life!

ZILtoid1991 , 5 days ago

How long until it will be used as a backdoor to hack womeone’s PC?

rottingleaf , 5 days ago

Negative number.

ILikeBoobies , 5 days ago

Seems google has already done that

gencha , 4 days ago

Chrome is the backdoor and you already installed it

kworpy , 5 days ago

idk what to tell you if you’re still using chrome

GoogleSellsAds , 5 days ago

Or anything Google for that matter. I see a lot of praise on Lemmy for their Pixel phones, but it wouldn’t surprise me if they eventually find there was a backdoor in their firmware all this time. Yes of course, I can not prove that right now, but this news about Google Chrome isn’t news for no reason. Don’t trust anything Google if you care about privacy, it is literally their business model (selling targeted ads).

joel_feila , 5 days ago

Wrll you have to use a pixel phone to use graphene os

01189998819991197253 , 5 days ago

Yeah, I’m not super happy about that part, but don’t really know what to do

Emerald , 4 days ago

Use a Pixel phone. No more sketchy then any other popular phone manufacturer

01189998819991197253 , 4 days ago

It’s what I do. With degoogled os. But the proprietary blobs aren’t filling me with confidence.

Emerald , 3 days ago

Does your laptop run free software boot firmware? If not, it has the same issues as a phone, if not more. No smartphone runs fully free firmware.

01189998819991197253 , 3 days ago

I know all this and that’s not filling me with confidence, either. It’s why Framework is in my sights.

Emerald , 2 days ago

Framework doesn’t have free boot firmware either and it contains the Intel ME (the backdoor in Intel CPU’s). The point I am trying to make is that you won’t find a perfect solution anywhere.

01189998819991197253 , 2 days ago

You’re right, but I never said perfect. Perfect doesn’t exist. I’m looking for reasonable and sustainable. Projects like framework and libreboot are making this possible for the first time in history. But, like you eluded to, they, too, won’t be perfect.

irreticent , 5 days ago

Relevant username.

Emerald , 4 days ago

Well pretty much all computers have a backdoor to the CPU. That hasn’t been proven for Pixel phones though.

Andromxda OP , 3 days ago

I fucking hate Google and wouldn’t use any of their (proprietary) software, but Pixel phones are amazing. Hear me out, Google is the only phone manufacturer right now, that puts extensive hardware security features like MTE, a secure element, as well as a bunch of others in their phones. The Google Titan M2 is based on an open-source project called OpenTitan, and Google has even contributed their own changes upstream. It’s based on the open RISC-V architecture, and it’s the most complete and secure implementation of a secure element that you can find in an Android phone. The only thing that comes even close is the “Secure Enclave” in Apple ARM chips, that are used in modern iPhones, iPads and Macs. I understand the concern about a potential backdoor in the firmware, but that’s a valid concern with basically every CPU on the market right now. x86 are ARM are completely proprietary, so you can’t really trust any CPU based on one of these architectures. The old Google Titan M1 was based on ARM, Apple’s Secure Enclave is also based on ARM, as well as Snapdragon’s SPU (which is incomplete and insecure anyway). The Titan M2, being based on open hardware architecture and firmware, is the most trustworthy secure element, despite being made by Google. It includes features like Insider Attack Resistance, support for the Weaver API, Android StrongBox hardware keystore implementation and is used for a secure implementation of Android Verified Boot. GrapheneOS is free, open-source, and doesn’t use any proprietary Google apps/services by default. Although I hate Google, a Pixel with GrapheneOS is currently the best option for a secure smartphone.

ours , 4 days ago

I do: DON’T

T156 , 5 days ago

Does this also affect Chromium, or is it just Google Chrome?

The article mentions it being affecting Google Chrome through Chromium, but it’s not clear if it also affects Chromium on its own, or other Chromium-based browsers.

Krzd , 5 days ago

It allegedly also affects Edge and Vivaldi, so it seems to be chromium not chrome

sqibkw , 5 days ago

Just now tested in Vivaldi and it works, so yeah seems like Chromium 🥲

redditReallySucks , 5 days ago

Doesn’t seem to work on cromite desktop (good)

Andromxda OP , 4 days ago

Chromium is also affected.

JTheFox , 4 days ago

Chromium alone depends on if it’s the Google version or the Un-Googled version. For the Google version of Chromium, it still has that hangouts extension. However, the Un-Googled Chromium has that extension removed via the build flags, the one to note is enable_hangout_services_extension=false.

As others have said though, it can also depend on what other Chromium-based is being used. Some browsers like Brave and including Vivaldi can have this turned off in the settings. Others like Edge and Opera are affected as well. However it doesn’t affect every Chromium-based browser.

ComeHereOrIHookYou , 5 days ago

This is hilarious! It even works on Edge, Vivaldi and even Brave 🤣. Good thing I use Firefox in almost everything or general day to day use

Katana314 , 5 days ago

I’ll admit, in several places I used Edge as an effort to have at least some layer of distrust between myself and Google. I’ll have to quit that though.

dejected_warp_core , 5 days ago

I like your style. I went looking and found “switchbar” which kinda/sorta eases this bouncing between browsers idea:

…google.com/…/klgpknafjlhnpkppfbihchgfebbdcomd

It’s not elegant, but it supports the workflow you suggest. I kind of like the idea of using Edge for google.com and Chrome for microsoft.com. I’m not optimizing my experience (it may in fact be very sub-optimal), but I’m also using competition to neutralize potential shenanigans.

Emerald , 4 days ago

I kind of like the idea of using Edge for google.com and Chrome for microsoft.com.

Dang, just use Firefox. It’s so much easier then this

madis , 5 days ago

Vivaldi and Brave have the option to disable the Hangouts extension in settings, which should disable this.

As linked in the article, it is indeed used for “Hangouts” (Meet) troubleshooting.

ComeHereOrIHookYou , 4 days ago

This is good news since Vivaldi is my goto chromium browser (when I need to really use it)

Andromxda OP , 4 days ago

Firefox 🔛 🔝

xavier666 , 4 days ago

🦊🦊

solrize , 4 days ago

jwz.org/…/mozilla-is-an-advertising-company-now/

ComeHereOrIHookYou , 4 days ago

Welp, might as well just use w3m 🤣

cupcakezealot , 4 days ago

such a sensationalist article there. mozilla isnt an advertising company, they bought a company that specialises in privacy focused ad campaigns so they can provide an alternative to google for companies.

which is what they should be doing.

Scotty_Trees , 5 days ago

If you’re still using Google Chrome in 2024, you might be a moron. #Firefox

raspberriesareyummy , 5 days ago

I am “slightly” worried that there’s only a single option left. That’s only 1 organization’s corruption removed from total loss of control over browsing privacy :/

Scrollone , 5 days ago

And Mozilla main source of income is… Google.

This is bad, very bad.

n3m37h , 4 days ago

Google pays them to be the default search. FF is like Steve Irwin, you could have been the biggest poacher, if you gave him money he would use it to buy land to help protect animals. FF is pulling the same thing but for the intetnet

cupcakezealot , 4 days ago

so donate and change that

ILikeBoobies , 5 days ago

There’s safari and pale moon

Holzkohlen , 5 days ago

Refreshing change from reading about some new AI powered tracking nonsense in Windows.

NutWrench , 5 days ago

I already ditched Windows for Linux a month ago because of spyware. Everything Google-related is next. My phone is going to be the hardest thing to de-infest.

moonburster , 5 days ago

I kinda want to, but I’m also a sucker for ease of use

Tywele , 4 days ago

For ease of use Apple might be the most convenient alternative to Google. At least for smartphones.

moonburster , 4 days ago

Ease of use and apple are not near each other in my dictionary.

I think a lot of things are designed very unlogical

Tywele , 4 days ago

That might be because you are just not used to it. Comparable to the switch from Windows to Linux.

moonburster , 4 days ago

I’m using Linux and tried different distros. I also used chrome os and windows Phone. I tried ios, hence my feelings towards it

Tywele , 4 days ago

And many people tried Linux and were having difficulties adapting to it at first and most probably gave up. Just like you did with iOS.

moonburster , 4 days ago

Pff, sure buddy. Used it for 4 months due to my phone being dead. Go shill someone else. If the adoption of a new os goes against what I want of said os, then it’s not an os for me. Simple as that

Tywele , 4 days ago

I don’t care what you use. I was just arguing in support of OSes that people dismiss because they are unfamiliar with it. Calm down.

flop_leash_973 , 5 days ago

In my experience you either have to trade one devil for the other with Apple or accept buying hardware from the ad company so you can use GrapheneOS.

sugar_in_your_tea , 5 days ago

There are more options than GrapheneOS with broader device support, such as Calyx or LineageOS.

But if you use Android already, you can start by using F-Droid (or others) to install apps to find FOSS replacements for apps you use.

WhiskyTangoFoxtrot , 5 days ago

Searching for “Calyx” got me a lot of results that had nothing to do with the Android ROM, so for the convenience of anyone else reading this thread their URL is calyxos.org

SidewaysHighways , 4 days ago

Thank you

Trainguyrom , 5 days ago

You could always go the used/refurbished route to not directly give the chocolate factory money

asdfasdfasdf , 5 days ago

I’m also doing this. Proton is amazing, for the most part. Ente Photos is also incredible for ditching Google Photos, although I’ll probably switch to Proton Photos when that comes out since Ente is pricey.

pathief , 5 days ago

Isn’t proton photos built into their Proton Drive already? It’s implementation is… barebones… On Android but it works.

asdfasdfasdf , 4 days ago

It is, but I’d barely consider it a launch of anything. It displays photos, but that’s it. I could already upload and view photos on Proton Drive before they “launched” this.

Tywele , 4 days ago

Or if you have the skills you can selfhost Immich which is an excellent replacement for Google Photos.

enleeten , 5 days ago

Kagi is a great replacement for Google search. It does cost money though.

Emerald , 4 days ago

Or you can take a Duck. Then get one more Duck. Then you can Go.

duckduckgo.com

CheeseNoodle , 5 days ago

Honestly I just keep my phone as my designated privacy nightmare so I can get free phone calls on wifi and keep in touch with family members who are still on facebook.

nossaquesapao , 5 days ago

Welcome to the world of freedom. The first months may be a bit uncomfortable, but it’s a journey worth taking. Be welcome!

Andromxda OP , 4 days ago

I already ditched Windows for Linux a month ago because of spyware.

Great!

Everything Google-related is next.

Even better.

My phone is going to be the hardest thing to de-infest.

If you plan on getting a new phone soon, I recommend a Google Pixel, on which you can install GrapheneOS. Yes, ironically Google devices are the best for installing alternative operating systems and removing all the Google BS. GrapheneOS is completely free and open source, and based on the Android Open Source Project. It incorporates many privacy and security enhancements, and gives you total freedom and control over your device. In my opinion, it’s the best option for degoogling a phone.

Emerald , 4 days ago

There is also Lineage OS. It’s not as secure but it is compatible with the most amount of devices.

Andromxda OP , 4 days ago

Unfortunately LineageOS is highly insecure because there’s no ability to lock the bootloader, and Android Verified Boot is completely missing. These are just the biggest and most obvious flaws in Lineage, but there are more: madaidans-insecurities.github.io/android.html#lin…

Emerald , 3 days ago

Android is a very secure system, but that comes with some compromises such as customizability and development features. Both of which are important to the Lineage OS project. Also running Lineage OS is not any more insecure then running a Linux or Windows desktop without secure boot, which many people do without issue

Suavevillain , 5 days ago

I will stick with using Firefox.

Andromxda OP , 4 days ago

That’s the way to go

jinarched , 5 days ago

Just use Firefox

shrug

nutsack , 5 days ago (edited 5 days ago)

there’s a portion of the internet that just doesn’t work in Firefox because the company pays only $2 million a year for developers and they can’t do it

I mean web developers not the Firefox developers stop down voting me

I use Firefox and Linux and I don’t drive a car how about that

please give me $40

Omgpwnies , 5 days ago

I’ve yet to find more than a handful of pages that have had issues, and most were fairly poorly coded to begin with

lightnsfw , 5 days ago

I found one the other day but I don’t even recall what it was. I almost never have any problems.

JaddedFauceet , 5 days ago

As part of our company’s security policy, our IT admin disallows firefox to be installed in dev machine.

our engineers cannot test their work in firefox.

LOL

PlantJam , 5 days ago

This nonsense is part of why I prefer to work for smaller companies.

sugar_in_your_tea , 5 days ago

That’s wack.

I think our company does something similar (Chrome by default, need to ask IT for anything else), but our department just said, “we need Macs to do our work, you have no power here…” I hate macOS, but I hate stupid IT policies more.

nutsack , 5 days ago

there’s no quality control with a test suite of browsers and versions running in virtual machines?

JaddedFauceet , 4 days ago

Due to security policy, we cannot run vm. Oh, btw, we do android development too. I guess they didn’t know android studio runs a vm. So that is ok

xavier666 , 4 days ago

Whenever I face an issue in our company portal and I ask the IT team, their response is “Can you please try on Google Chrome?”

🤦🏽🤦🏽

Katana314 , 5 days ago

My biggest issue is video streaming on older computers. I have an old laptop I use casually for video playing in the background, and Webkit browsers like Edge definitely load YouTube with far less stuttering. I’m still trying to find good alternatives - lately even changing the user agent doesn’t seem to make it faster.

TheGrandNagus , 4 days ago

This to me sounds like an issue with hardware video decoding not working right and it falling back to software decoding on the CPU.

Andromxda OP , 4 days ago

Or LibreWolf !librewolf

powermaker450 , 5 days ago

this just in: google is still spying on you in every way possible

CriticalMiss , 5 days ago

Not a legal mastermind by a long shot but it seems like a DMA violation. Someone needs to get the EU on their ass.

victorz , 5 days ago

EU: [RELEASES THE HOUNDS]

bhamlin , 5 days ago

Just make sure it isn’t the Pomeranians this time

Killing_Spark , 5 days ago

Make sure it isn’t just the Pomeranians. Some Pomeranians are definitely going to be in the mix.

bhamlin , 5 days ago

Ok, I’m good with that.

victorz , 4 days ago

I had to look up what the Pomeranian dog breed is, because I’m not good with dog breeds. Soon as the page of images loaded I burst out laughing. 😆 Thank you. Good start to my day.

bhamlin , 4 days ago

Glad to help. 😁 Get out there with that little dog energy.

victorz , 4 days ago

lmao is been good so far. Have to make a long trip with the kids today, so it helped. ❤️

dan , 5 days ago (edited 5 days ago)

There’s a bunch of stuff in Chrome that’s special-cased to only allow Google to access it.

Not sure if it’s still there, but many years ago I was trying to figure out how to do something that some Google webapp was doing (can’t remember which one). I think it was something to do with popping up a chromeless window - that is, a new window with no address bar or browser chrome, just some HTML content.

Turns out the Chromium codebase had a hard-coded allowlist that only allowed *.google.com to use the API!

Edit: my memory was a bit wrong. It was this: stackoverflow.com/a/11614605. The Hangouts extension was allowlisted to use the functionality, but if any other extension wanted to use it, the user had to enable an experimental setting.

Gestrid , 5 days ago

Are you talking about the “apps” that Chrome used to support? They removed the feature years ago to reduce bloat and RAM usage or something like that.

Before they removed the feature, I had actually figured out how to create my own “apps” that’d simply load webpages I visited often at the time, like Twitch.

dan , 5 days ago

I found what I was talking about: stackoverflow.com/a/11614605. It was a feature that the Hangouts extension could use, but the user had to manually enable it in the browser settings for any other extensions to use it.

The apps feature is still there just with a different name. It’s labeled as “create shortcut”, and you have to check the box to open a new window. I use it just because Firefox doesn’t have a similar feature.

QuantumStorm , 5 days ago

I don’t know why, but my head automatically put that as “the apps formerly support by Google” the same as “the artist formerly known as Prince”

vox , 5 days ago

i think it’s used for the performance testing feature in google meet n stuff

RecluseRamble , 5 days ago

Of course there’s some legitimate use case to it. Just like every privacy rights undermining bill helps “the children”. Doesn’t mean that’s the only or even the main goal.