Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

VelvetStorm , 5 days ago

Can someone explain this to me like I’m 5. I understand it’s not good but I don’t know why and I would like to understand it.

JustARegularNerd , 5 days ago

Effectively Google has a browser extension (just like the ones you’d install from the Chrome Web Store like uBlock Origin) that comes with the browser that’s hidden.

This extension allows Google to see additional information about your computer that extensions and websites don’t normally have access to, such as checking how much load your PC has or directly handing over hardware information like the make and model of your professor.

The big concern in the comments is that this could be used for fingerprinting your browser, even in Incognito mode.

What this essentially means is that even though the browser may not have any cookies saved or any other usual tracking methods, your browser can still be recognised by how it behaves on your machine in particular, and this hidden extension allows Google to retrieve additional information to further narrow down your browser and therefore who you are (as they can link this behaviour and data to when you’ve used Google with that browser signed in), even in Incognito mode.

VelvetStorm , 5 days ago

Thank you for this info. If this is just an extension, can we just uninstall it or turn it off?

daq , 5 days ago

This is not a typical extension and it cannot be removed. It doesn’t even show up in the list of installed extensions.

Appoxo , 5 days ago

Maybe recompiling? But I suspect that Chrome as it is, is closed source?

ABasilPlant , 5 days ago

github.com/ungoogled-software/ungoogled-chromium

…github.io/ungoogled-chromium-binaries/

Katana314 , 5 days ago

Seems like a great option. Can anyone more familiar with the code confirm this removes the aforementioned CPU-fingerprinting plugin?

Andromxda OP , 4 days ago

It does. You can even try it out yourself. Install Ungoogled Chromium, go to google.com and paste the following code in the Developer console (which you can bring up by pressing F12 and clicking on ‘Console’ at the top of the DevTools interface):

<span style="color:#323232;">    chrome.runtime.sendMessage(
</span><span style="color:#323232;">      "nkeimhogjdpnpccoofpliimaahmaaome",
</span><span style="color:#323232;">      { method: "cpu.getInfo" },
</span><span style="color:#323232;">      (response) => {
</span><span style="color:#323232;">        console.log(JSON.stringify(response, null, 2));
</span><span style="color:#323232;">      },
</span><span style="color:#323232;">    );
</span>

If it returns nothing or an error, you’re good. If it returns something like this:

<span style="color:#323232;">{
</span><span style="color:#323232;">  "value": {
</span><span style="color:#323232;">    "archName": "arm64",
</span><span style="color:#323232;">    "features": [],
</span><span style="color:#323232;">    "modelName": "Apple M2 Max",
</span><span style="color:#323232;">    "numOfProcessors": 12,
</span><span style="color:#323232;">    "processors": [
</span><span style="color:#323232;">      {
</span><span style="color:#323232;">        "usage": {
</span><span style="color:#323232;">          "idle": 26890137,
</span><span style="color:#323232;">          "kernel": 5271531,
</span><span style="color:#323232;">          "total": 42525857,
</span><span style="color:#323232;">          "user": 10364189
</span><span style="color:#323232;">        }
</span><span style="color:#323232;">      }, ...
</span>

it means that the hidden extension is present, and *.google.com sites have special access in your browser.

JackbyDev , 5 days ago

Chromium is open source. Google Chrome is not open source.

dan , 5 days ago

even in Incognito mode.

I thought extensions don’t run in incognito mode?

I know Firefox doesn’t run them by default - you can specify which extensions you’d like to run in incognito mode.

Gestrid , 5 days ago

I thought extensions don’t run in incognito mode?

They don’t. Unless you check the box that allows them to. And I’m sure Google has already checked that box by default.

griD , 5 days ago

I tested it with a stock install of chrome/windows 11. Works.

Appoxo , 5 days ago

information like the make and model of your professor

Oh no, not my professor :( (/s)

JustARegularNerd , 5 days ago

Oh that’s a good typo, I’m leaving that! I look forward to the LLMs in 2030 telling you to watch the temps on your professor and make sure it doesn’t get exposed by Chrome.

Misk , 5 days ago

So since they only just seem to have discovered this, does that mean this invisible extension also likely to be present on Chromium based browsers such as Brave and Thorium etc…?

JackbyDev , 5 days ago

Yes, though they could remove it. If they’re open source then you could check easily.

WindyRebel , 5 days ago (edited 5 days ago)

Fingerprinting.

Bingo! Google wants to go cookieless and fingerprinting has been one of the solves I’ve always read about in the SEO world.

4am , 5 days ago

Remember when Google pushed for use of open standard in the browser to force Microsoft IE out of the market? Oh yeah I ‘member

paridoxical , 5 days ago

They have become the evil they once sought to combat.

alphapuggle , 6 days ago

Uhh do we know if this extends to sites.google.com?

tal , 6 days ago

Not an area I’m familiar with, but this user says no:

news.ycombinator.com/item?id=40918052

lashkari 5 hours ago | prev | next [–]

If it’s really accessible from *.google.com, wouldn’t this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

DownrightNifty 5 hours ago | parent | next [–]

JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.

Andromxda OP , 6 days ago

You can check this yourself. Just paste this into the developer console:

<span style="color:#323232;">chrome.runtime.sendMessage(
</span><span style="color:#323232;">  "nkeimhogjdpnpccoofpliimaahmaaome",
</span><span style="color:#323232;">  { method: "cpu.getInfo" },
</span><span style="color:#323232;">  (response) => {
</span><span style="color:#323232;">    console.log(JSON.stringify(response, null, 2));
</span><span style="color:#323232;">  },
</span><span style="color:#323232;">);
</span>

If you get a return like this, it means that the site has special access to these private, undocumented APIs

<span style="color:#323232;">{
</span><span style="color:#323232;">  "value": {
</span><span style="color:#323232;">    "archName": "arm64",
</span><span style="color:#323232;">    "features": [],
</span><span style="color:#323232;">    "modelName": "Apple M2 Max",
</span><span style="color:#323232;">    "numOfProcessors": 12,
</span><span style="color:#323232;">    "processors": [
</span><span style="color:#323232;">      {
</span><span style="color:#323232;">        "usage": {
</span><span style="color:#323232;">          "idle": 26890137,
</span><span style="color:#323232;">          "kernel": 5271531,
</span><span style="color:#323232;">          "total": 42525857,
</span><span style="color:#323232;">          "user": 10364189
</span><span style="color:#323232;">        }
</span><span style="color:#323232;">      }, ...
</span>

crazyminner , 6 days ago

Suprise Suprise!

Imgonnatrythis , 6 days ago

Ianal, but this sounds like something worthy of suing their ass over. There’s not much Google would respond to and good luck beating their lawyers, but the only language they speak is $, so please try to take as much as possible away from them for this garbage.

hendrik , 6 days ago

LibreWolf, Mull, Chromium, ...

wanderingmagus , 5 days ago

It’s apparently built into chromium

hendrik , 5 days ago (edited 5 days ago)

executing that command from the post returns the following on my Chromium:

VM68:1 Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage')
    at [HTML_REMOVED]:1:16
(anonymous) @ VM68:1

wanderingmagus , 5 days ago

It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, but the code has been there in the public repo since October 2013 as far as I can tell.

It looks like it’s a way to let Google Hangouts (or presumably its modern predecessors) get additional information from the browser, including the current load on the user’s CPU. Update: On Hacker News a Googler confirms that the Google Meet “troubleshooting” feature uses this to review CPU utilization

The code doesn’t do anything on non-Google domains.

Maybe it’s because you tried it on a non Google site? Idk.

hendrik , 5 days ago

Hehe, I read that sentence, tried it on google.com

But forget what I said. I have the ungoogled variant of Chromium installed. No wonder that's not in there...

cubism_pitta , 6 days ago

Google does a lot of standards breaking things.

Like allowing a link on Google Apps Marketplace to open a new window (like popup) with POST instead of GET. (This pretty much ensures that buying an app will fail for browsers that follow the spec)

victorz , 5 days ago

This garbage behavior is in Chromium as well?

_sideffect , 6 days ago

Why do people still use Chrome?

Please uninstall it from everyone’s home pc and phone that you come into contact with

Tja , 6 days ago

Because it’s fast and works well enough to keep the fame acquired over the last 10 years.

4am , 5 days ago

Slower than Firefox

Tja , 5 days ago

I use both for my job and my subjective feeling is that chrome is faster. Js benchmarks seems to confirm it. Privately I use Firefox 95% of the time but I understand people who stay on chrome just out of inertia.

victorz , 5 days ago

I’m a Firefox user on desktop and mobile, and I definitely feel like Chrome is faster on both platforms when I (have to) use it. But I prefer Firefox for the ideology and dev tools (on desktop), since I’m a web developer by trade, so the dev tools make a big difference for me.

IronKrill , 5 days ago

There was a short period a few years ago after the Quantum update that I would have partially agreed, because Firefox’s renderer was much smoother. But Chrome seems to have caught up, because it’s been much faster every time I test something in it in the yesrs since.

_sideffect , 5 days ago

At the cost of zero privacy, data being stolen and other fundamental issues and morals that Google lacks.

IronKrill , 5 days ago

Which is invisible to users, meaning they can ignore it or handwave it with “I haven’t got anything to hide”.

RobotZap10000 , 5 days ago

Or worse, “They already know everything about me, so why bother?”. One of my relatives says this. Kill me now.

empireOfLove2 , 6 days ago

Hmmm, no way this could ever turn into a security hole, I’m sure of it.

faltryka , 6 days ago

Is this for malicious harvesting or is this part of their chrome device trust product for enterprises?

homesweethomeMrL , 6 days ago

WINK

Andromxda OP , 6 days ago

No, as far as I know this has nothing to do with attestation/verification for enterprise users.

mrvictory1 , 6 days ago

Google Meet can show CPU usage, they aten’t trying to hide this.

Gloria , 6 days ago

#UninstallChrome

Andromxda OP , 6 days ago

#SwitchToFirefox

victorz , 5 days ago

Here, you forgot this: ``

Andromxda OP , 6 days ago

Yet another reason to switch to Firefox, or even better, a hardened fork like LibreWolf !librewolf

sigmaklimgrindset , 6 days ago

What functionality would I lose/gain if I switch from Firefox to Librewolf? I’m admittedly an amateur in the privacy space, and I’ve been pretty content with Firefox + Ublock and container tabs for different profiles, but I consistently get the issue that my browser fingerprint is pretty unique, and I have no idea how to or even if I can anonymize that anymore.

calamitycastle , 6 days ago

Yes, why to do this?

Imgonnatrythis , 6 days ago

Librewolf is not associated with Mozilla and does not receive their primary source of funding from Google like Mozilla does. I really like having the same browser and browser synchronization between my phone and desktop/laptop, so librewolf is out for me. They have no interest or resources to build an Android version. Waterfox does at least have desktop / android option and takes things at least one small step further away from Google.

sigmaklimgrindset , 5 days ago

Thanks for the answer! I run Windows, iOS and Linux across multiple devices, and sync is definitely needed for me as well. I’ll look into Waterfox!

Andromxda OP , 5 days ago

The previous answer is misleading and partially just wrong. Firefox Sync works just fine in LibreWolf, you just need to enable it in the settings. I currently sync my LibreWolf browser on my Linux desktop to Firefox on iOS and Mull on Android, no issues whatsoever. The only Mozilla services that LibreWolf intentionally removes are their telemetry and Pocket.

muntedcrocodile , 5 days ago

U can sync regular mobile ff and librewolf. Thats what i currently have.

Andromxda OP , 5 days ago

It is the same browser. LibreWolf doesn’t change much of the Firefox code, mostly just the configuration. They enable various privacy/security settings by default and remove Mozilla telemetry. You can go to the LibreWolf settings and enable Firefox Sync, and it will work just fine with your Mozilla account and other Firefox browsers.

For Android, I like to use Mull, it’s a hardened build of Firefox, similar to LibreWolf.

pathief , 5 days ago

You can enable Firefox sync in Librewolf, it works fine.

Danitos , 5 days ago

Tangent note: I think browser fingerprinting is only a source of concern if you use VPN. Otherwise, your IP is already a good enough identifier, and quite likely doesn’t rotate often enough. Please someone correct me if I’m wrong.

kava , 5 days ago

Yeah I’d only worry about it if I were trying to buy drugs on the dark net or something. I guess if torrenting became illegal I would also worry.

skybox , 5 days ago

Became? 🤔

mondoman712 , 4 days ago

Different places have different laws

Mongostein , 4 days ago

Torrenting itself is not illegal. The distribution of copyrighted material that you don’t own is the illegal part of

kava , 5 hours ago

It’s sort of legally gray but generally speaking in the US downloading is a civil offense but not a criminal one. You can get sued by the copyright holder for example but you won’t end up in jail over it.

People usually never get sued for it because it’s not worth it for Comcast to pay for lawyers to try and extract any money out of regular people. Not only will they almost certainly be unable to even recoup the lawyer fees, they risk getting a lot of bad PR for no gain.

What’s usually considered an arrestable offense is uploading aka distribution. Once you start hosting seedboxes then you enter the area where you’re liable to go to prison.

Danitos , 4 days ago

No. If you don’t want to be tracked and you are using a VPN, fingerprinting is a problem as well. Privacy is not concern just for drug dealers.

brbposting , 4 days ago

I worry about price discrimination

https://sh.itjust.works/pictrs/image/2db970eb-783e-4aaf-8c26-31a708932d5e.jpeg

kava , 3 days ago

I appreciate the list. I’m not saying there aren’t valid concerns, just that in my day to day life it’s one of those items where the steps needed to avoid browser fingerprinting is usually more work than the value I personally get from my perspective.

I’ve looked into this, and I’m not clueless. I’ve developed websites, I’ve done a lot of stuff with Selenium / Puppeteer, and have toyed with Firefox browser extensions.

I understand the tools they use and it’s just very tricky to fully eliminate this type of thing. For example they can even use the browser window size. Are you going to randomly change window size to some novel dimension when you open up a tab?

What about the JS engine you use. For example using Firefox already narrows down your anonymity by like 95% or something because only a small amount of users use the browser. Etc etc

It’s hard to do this correctly, and I feel like VPN + private window usually takes care of the price fixing thing on the list, for example. When I’m searching for flights I usually do this.

I also use JS blockers in order to try and mess up the scripts that Facebook & Google have hidden over the internet to track you. But ironically, doing that again reduces your anonymity. They know that if their scripts don’t work on you, you get narrowed down again to a very small % of users.

It only takes a few of those pieces of data to be reasonably sure that it’s you. Browser fingerprinting is tricky to really avoid. It’s not impossible, of course. Just saying to really do it right it might be more effort than it’s worth.

brbposting , 3 days ago

The depth of fingerprinting really bothers me and I have accepted that the best at it will succeed.

It is tempting to find the world’s most popular default configuration and use that :) But that’s prob be something gross like Windows 10 & Chrome! In fact, that’d be second after Android & Chrome. Wonder how detectable VMing/emulating those configurations would be.

Agree with you and appreciate the detailed response!

Mkengine , 5 days ago

Switching from Firefox to Librewolf has some pros and cons. Librewolf is a fork of Firefox focused on privacy and security, with telemetry stripped out and privacy settings maxed out by default. You’ll gain better out-of-the-box privacy protections, meaning less tracking and data collection without having to tweak settings yourself.

However, you might lose some convenience. Librewolf might not support certain Firefox features like Sync, since it relies on Mozilla’s servers (not sure about that point, maybe it does work). It can also break some websites due to the stricter privacy settings. Another thing to consider is that you won’t get updates as quickly as Firefox.

Regarding browser fingerprinting, it’s a tricky beast. Librewolf can help somewhat by making your fingerprint less unique, but it’s not a silver bullet. Tools like uBlock Origin and container tabs are great, but adding something like the CanvasBlocker extension can also help reduce fingerprinting. Ultimately, no setup is perfect, but Librewolf is a solid step towards better privacy.

JackbyDev , 5 days ago

I don’t really care too too much about privacy. If they get rid of the Pocket button then I’d be happy enough.

masterofn001 , 5 days ago

About:config

Extensions.pocket.enabled false

JackbyDev , 5 days ago

https://programming.dev/pictrs/image/5a4aa72e-5294-495f-9fdf-051e8e2ced3c.webp

octopus_ink , 4 days ago

May I please steal this for future use?

JackbyDev , 4 days ago

I stole it too lol

pathief , 5 days ago

Firefox sync is disabled by default but you can enable it in the settings.

PetroGuy , 5 days ago

if it’s fingerprinting you care about, i’d give mullvad browser a try. it’s a firefox fork tailored to increase privacy and blend you into the crowd (as long as you don’t change any setting/install addons). it’s very very neat.

TheGrandNagus , 4 days ago

Mostly it’s just FF but with more private defaults (that you can change in the settings trivially anyway), although there are one or two extras.

There is a potential issue, though. Librewolf runs behind, so security vulnerabilities, particularly for zero-day exploits, take longer to be patched.

kakes , 6 days ago

It baffles me that they sell Chrome as private and/or secure, and baffles me even more that people believe them.

sudo , 6 days ago

It baffles me people use chrome.

SorryQuick , 5 days ago

Why? There was a time when chrome was significantly better, and most people hate change.

kava , 5 days ago

I remember back in the day everyone used Firefox. Then Chrome came out and there was a nice ad campaign and it was actually way faster.

Then slowly everyone switched to Chrome. At some point in the last 15 years, it switched to Firefox being superior.

I switched back to Firefox maybe like 7~ years ago? But I did it for open source reasons.

nyan , 6 days ago

Would everyone who is surprised by this please raise your hand? . . . That’s what I thought.

gofsckyourself , 6 days ago

I am

homesweethomeMrL , 6 days ago

License and registration, sir

11111one11111 , 5 days ago

Really? That’s not what the data from your api says /s

littlewonder , 5 days ago

Keep your hand raised because I’m coming in for a perfectly-landed high-five!

moriquende , 5 days ago

perfectly-landed never happened before, and never will

gjoel , 5 days ago

You don’t need to actually write it, just raise your hand and we have registered your vote, either via your computer’s camera, Google Nest, Google Assistant or inferred it by analysing the WiFi data returned by your Google Mesh network.

victorz , 5 days ago

Not surprised, but still disappointed.