Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

empireOfLove2 , 2 months ago

Hmmm, no way this could ever turn into a security hole, I’m sure of it.

jinarched , 2 months ago

Just use Firefox

shrug

nutsack , 2 months ago (edited 2 months ago)

there’s a portion of the internet that just doesn’t work in Firefox because the company pays only $2 million a year for developers and they can’t do it

I mean web developers not the Firefox developers stop down voting me

I use Firefox and Linux and I don’t drive a car how about that

please give me $40

Omgpwnies , 2 months ago

I’ve yet to find more than a handful of pages that have had issues, and most were fairly poorly coded to begin with

lightnsfw , 2 months ago

I found one the other day but I don’t even recall what it was. I almost never have any problems.

JaddedFauceet , 2 months ago

As part of our company’s security policy, our IT admin disallows firefox to be installed in dev machine.

our engineers cannot test their work in firefox.

LOL

PlantJam , 2 months ago

This nonsense is part of why I prefer to work for smaller companies.

sugar_in_your_tea , 2 months ago

That’s wack.

I think our company does something similar (Chrome by default, need to ask IT for anything else), but our department just said, “we need Macs to do our work, you have no power here…” I hate macOS, but I hate stupid IT policies more.

nutsack , 2 months ago

there’s no quality control with a test suite of browsers and versions running in virtual machines?

JaddedFauceet , 2 months ago

Due to security policy, we cannot run vm. Oh, btw, we do android development too. I guess they didn’t know android studio runs a vm. So that is ok

xavier666 , 2 months ago

Whenever I face an issue in our company portal and I ask the IT team, their response is “Can you please try on Google Chrome?”

🤦🏽🤦🏽

Katana314 , 2 months ago

My biggest issue is video streaming on older computers. I have an old laptop I use casually for video playing in the background, and Webkit browsers like Edge definitely load YouTube with far less stuttering. I’m still trying to find good alternatives - lately even changing the user agent doesn’t seem to make it faster.

TheGrandNagus , 2 months ago

This to me sounds like an issue with hardware video decoding not working right and it falling back to software decoding on the CPU.

Andromxda OP , 2 months ago

Or LibreWolf !librewolf

fin , 2 months ago

“Don’t be evil”

atrielienz , 2 months ago

Not anymore.

powermaker450 , 2 months ago

this just in: google is still spying on you in every way possible

alphapuggle , 2 months ago

Uhh do we know if this extends to sites.google.com?

tal , 2 months ago

Not an area I’m familiar with, but this user says no:

news.ycombinator.com/item?id=40918052

lashkari 5 hours ago | prev | next [–]

If it’s really accessible from *.google.com, wouldn’t this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

DownrightNifty 5 hours ago | parent | next [–]

JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.

Andromxda OP , 2 months ago

You can check this yourself. Just paste this into the developer console:

<span style="color:#323232;">chrome.runtime.sendMessage(
</span><span style="color:#323232;">  "nkeimhogjdpnpccoofpliimaahmaaome",
</span><span style="color:#323232;">  { method: "cpu.getInfo" },
</span><span style="color:#323232;">  (response) => {
</span><span style="color:#323232;">    console.log(JSON.stringify(response, null, 2));
</span><span style="color:#323232;">  },
</span><span style="color:#323232;">);
</span>

If you get a return like this, it means that the site has special access to these private, undocumented APIs

<span style="color:#323232;">{
</span><span style="color:#323232;">  "value": {
</span><span style="color:#323232;">    "archName": "arm64",
</span><span style="color:#323232;">    "features": [],
</span><span style="color:#323232;">    "modelName": "Apple M2 Max",
</span><span style="color:#323232;">    "numOfProcessors": 12,
</span><span style="color:#323232;">    "processors": [
</span><span style="color:#323232;">      {
</span><span style="color:#323232;">        "usage": {
</span><span style="color:#323232;">          "idle": 26890137,
</span><span style="color:#323232;">          "kernel": 5271531,
</span><span style="color:#323232;">          "total": 42525857,
</span><span style="color:#323232;">          "user": 10364189
</span><span style="color:#323232;">        }
</span><span style="color:#323232;">      }, ...
</span>

_sideffect , 2 months ago

Why do people still use Chrome?

Please uninstall it from everyone’s home pc and phone that you come into contact with

Tja , 2 months ago

Because it’s fast and works well enough to keep the fame acquired over the last 10 years.

4am , 2 months ago

Slower than Firefox

Tja , 2 months ago

I use both for my job and my subjective feeling is that chrome is faster. Js benchmarks seems to confirm it. Privately I use Firefox 95% of the time but I understand people who stay on chrome just out of inertia.

victorz , 2 months ago

I’m a Firefox user on desktop and mobile, and I definitely feel like Chrome is faster on both platforms when I (have to) use it. But I prefer Firefox for the ideology and dev tools (on desktop), since I’m a web developer by trade, so the dev tools make a big difference for me.

IronKrill , 2 months ago

There was a short period a few years ago after the Quantum update that I would have partially agreed, because Firefox’s renderer was much smoother. But Chrome seems to have caught up, because it’s been much faster every time I test something in it in the yesrs since.

_sideffect , 2 months ago

At the cost of zero privacy, data being stolen and other fundamental issues and morals that Google lacks.

IronKrill , 2 months ago

Which is invisible to users, meaning they can ignore it or handwave it with “I haven’t got anything to hide”.

RobotZap10000 , 2 months ago

Or worse, “They already know everything about me, so why bother?”. One of my relatives says this. Kill me now.

VelvetStorm , 2 months ago

Can someone explain this to me like I’m 5. I understand it’s not good but I don’t know why and I would like to understand it.

JustARegularNerd , 2 months ago

Effectively Google has a browser extension (just like the ones you’d install from the Chrome Web Store like uBlock Origin) that comes with the browser that’s hidden.

This extension allows Google to see additional information about your computer that extensions and websites don’t normally have access to, such as checking how much load your PC has or directly handing over hardware information like the make and model of your professor.

The big concern in the comments is that this could be used for fingerprinting your browser, even in Incognito mode.

What this essentially means is that even though the browser may not have any cookies saved or any other usual tracking methods, your browser can still be recognised by how it behaves on your machine in particular, and this hidden extension allows Google to retrieve additional information to further narrow down your browser and therefore who you are (as they can link this behaviour and data to when you’ve used Google with that browser signed in), even in Incognito mode.

VelvetStorm , 2 months ago

Thank you for this info. If this is just an extension, can we just uninstall it or turn it off?

daq , 2 months ago

This is not a typical extension and it cannot be removed. It doesn’t even show up in the list of installed extensions.

Appoxo , 2 months ago

Maybe recompiling? But I suspect that Chrome as it is, is closed source?

ABasilPlant , 2 months ago

github.com/ungoogled-software/ungoogled-chromium

…github.io/ungoogled-chromium-binaries/

Katana314 , 2 months ago

Seems like a great option. Can anyone more familiar with the code confirm this removes the aforementioned CPU-fingerprinting plugin?

Andromxda OP , 2 months ago

It does. You can even try it out yourself. Install Ungoogled Chromium, go to google.com and paste the following code in the Developer console (which you can bring up by pressing F12 and clicking on ‘Console’ at the top of the DevTools interface):

<span style="color:#323232;">    chrome.runtime.sendMessage(
</span><span style="color:#323232;">      "nkeimhogjdpnpccoofpliimaahmaaome",
</span><span style="color:#323232;">      { method: "cpu.getInfo" },
</span><span style="color:#323232;">      (response) => {
</span><span style="color:#323232;">        console.log(JSON.stringify(response, null, 2));
</span><span style="color:#323232;">      },
</span><span style="color:#323232;">    );
</span>

If it returns nothing or an error, you’re good. If it returns something like this:

<span style="color:#323232;">{
</span><span style="color:#323232;">  "value": {
</span><span style="color:#323232;">    "archName": "arm64",
</span><span style="color:#323232;">    "features": [],
</span><span style="color:#323232;">    "modelName": "Apple M2 Max",
</span><span style="color:#323232;">    "numOfProcessors": 12,
</span><span style="color:#323232;">    "processors": [
</span><span style="color:#323232;">      {
</span><span style="color:#323232;">        "usage": {
</span><span style="color:#323232;">          "idle": 26890137,
</span><span style="color:#323232;">          "kernel": 5271531,
</span><span style="color:#323232;">          "total": 42525857,
</span><span style="color:#323232;">          "user": 10364189
</span><span style="color:#323232;">        }
</span><span style="color:#323232;">      }, ...
</span>

it means that the hidden extension is present, and *.google.com sites have special access in your browser.

JackbyDev , 2 months ago

Chromium is open source. Google Chrome is not open source.

dan , 2 months ago

even in Incognito mode.

I thought extensions don’t run in incognito mode?

I know Firefox doesn’t run them by default - you can specify which extensions you’d like to run in incognito mode.

Gestrid , 2 months ago

I thought extensions don’t run in incognito mode?

They don’t. Unless you check the box that allows them to. And I’m sure Google has already checked that box by default.

griD , 2 months ago

I tested it with a stock install of chrome/windows 11. Works.

Appoxo , 2 months ago

information like the make and model of your professor

Oh no, not my professor :( (/s)

JustARegularNerd , 2 months ago

Oh that’s a good typo, I’m leaving that! I look forward to the LLMs in 2030 telling you to watch the temps on your professor and make sure it doesn’t get exposed by Chrome.

Misk , 2 months ago

So since they only just seem to have discovered this, does that mean this invisible extension also likely to be present on Chromium based browsers such as Brave and Thorium etc…?

JackbyDev , 2 months ago

Yes, though they could remove it. If they’re open source then you could check easily.

WindyRebel , 2 months ago (edited 2 months ago)

Fingerprinting.

Bingo! Google wants to go cookieless and fingerprinting has been one of the solves I’ve always read about in the SEO world.

T156 , 2 months ago

Does this also affect Chromium, or is it just Google Chrome?

The article mentions it being affecting Google Chrome through Chromium, but it’s not clear if it also affects Chromium on its own, or other Chromium-based browsers.

Krzd , 2 months ago

It allegedly also affects Edge and Vivaldi, so it seems to be chromium not chrome

sqibkw , 2 months ago

Just now tested in Vivaldi and it works, so yeah seems like Chromium 🥲

redditReallySucks , 2 months ago

Doesn’t seem to work on cromite desktop (good)

Andromxda OP , 2 months ago

Chromium is also affected.

JTheFox , 2 months ago

Chromium alone depends on if it’s the Google version or the Un-Googled version. For the Google version of Chromium, it still has that hangouts extension. However, the Un-Googled Chromium has that extension removed via the build flags, the one to note is enable_hangout_services_extension=false.

As others have said though, it can also depend on what other Chromium-based is being used. Some browsers like Brave and including Vivaldi can have this turned off in the settings. Others like Edge and Opera are affected as well. However it doesn’t affect every Chromium-based browser.

trolololol , 2 months ago

This that and the article are very light on details, but I couldn’t find an article deeper in details

My laptop, that I own and runs Linux that I installed, has chrome in it. I’m order to log into Gmail for work, it installs an extension that is capable of telling Gmail if my disk is encrypted. I know because you get an error message until my disk was actually encrypted. It was a big surprise to me, and I wonder if this is done by the same piece of code.

Btw would there be a way to do virtualization through perhaps docker or flat pack or chroot that can isolate chrome in a sandbox and prevent it from a) reading and writing files anywhere on any disk and b) get other data such as CPU, disk encryption etc?

Andromxda OP , 2 months ago

My laptop, that I own and runs Linux that I installed, has chrome in it. I’m order to log into Gmail for work, it installs an extension that is capable of telling Gmail if my disk is encrypted. I know because you get an error message until my disk was actually encrypted. It was a big surprise to me, and I wonder if this is done by the same piece of code.

That’s strange, I’ve never heard of that before

Btw would there be a way to do virtualization through perhaps docker or flat pack or chroot that can isolate chrome in a sandbox and prevent it from a) reading and writing files anywhere on any disk and b) get other data such as CPU, disk encryption etc?

There are some isolation mechanisms on Linux like Firejail or Bubblewrap. The latter is used by Flatpak to sandbox applications. These are rather weak though, and Flatpak weakens the security of bwrap further. By default, Flatpak application permissions are also set in a Manifest file, which is created by the maintainer of the package. To get more control over your Flatpak sandbox, you need to use an application like Flatseal.

Docker (or containers in general) aren’t meant for isolation/sandboxing, but this approach would also work. I would create a container using Distrobox or toolbx, and install Chrome inside the container.

This will not prevent Chrome from getting your CPU information though. To protect against that, you would have to use a virtual machine (and spoof the your CPU model if you want to hide that from Chrome).

beeb , 2 months ago

Sounds easier to switch to another browser at that point

Andromxda OP , 2 months ago

OP apparently needs Chrome to log into an enterprise GSuite account, which has specific requirements, that are enforced by Chrome’s enterprise policy system. I don’t think this works in Chromium.

beeb , 2 months ago

Oh I didn’t catch that my bad. I hope they get a work computer where this kind of stuff doesn’t interfere with private life!

Holzkohlen , 2 months ago

Refreshing change from reading about some new AI powered tracking nonsense in Windows.

faltryka , 2 months ago

Is this for malicious harvesting or is this part of their chrome device trust product for enterprises?

homesweethomeMrL , 2 months ago

WINK

Andromxda OP , 2 months ago

No, as far as I know this has nothing to do with attestation/verification for enterprise users.

mrvictory1 , 2 months ago

Google Meet can show CPU usage, they aten’t trying to hide this.

hendrik , 2 months ago

LibreWolf, Mull, Chromium, ...

wanderingmagus , 2 months ago

It’s apparently built into chromium

hendrik , 2 months ago (edited 2 months ago)

executing that command from the post returns the following on my Chromium:

VM68:1 Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage')
    at [HTML_REMOVED]:1:16
(anonymous) @ VM68:1

wanderingmagus , 2 months ago

It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, but the code has been there in the public repo since October 2013 as far as I can tell.

It looks like it’s a way to let Google Hangouts (or presumably its modern predecessors) get additional information from the browser, including the current load on the user’s CPU. Update: On Hacker News a Googler confirms that the Google Meet “troubleshooting” feature uses this to review CPU utilization

The code doesn’t do anything on non-Google domains.

Maybe it’s because you tried it on a non Google site? Idk.

hendrik , 2 months ago

Hehe, I read that sentence, tried it on google.com

But forget what I said. I have the ungoogled variant of Chromium installed. No wonder that's not in there...

crazyminner , 2 months ago

Suprise Suprise!

vox , 2 months ago

i think it’s used for the performance testing feature in google meet n stuff

RecluseRamble , 2 months ago

Of course there’s some legitimate use case to it. Just like every privacy rights undermining bill helps “the children”. Doesn’t mean that’s the only or even the main goal.