@simon does that mean other extensions that can modify data on *.google.com can also use that extension?

@simon Good find! The next step will be to figure out how it’s used. On which websites is the extension called?

@simon Reminds me of my blog post about How Firefox gives special permissions to *some* domains. https://frederikbraun.de/special-browser-privileges-for-some-domains.html

@simon It works also with brave browser @brave

@simon i can confirm this also works in chromium, where it is enabled in Arc Browser

@simon if that's not a #Govware #Backdoor than IDK what is...

#AllGAFAMsAreBad #AllGAFAMsAreEvil #PRISM #CloudAct

@simon isn't this just the "I agree to share usage metric" EUA we all clicked through? Or is this running even if we unselected that checkbox?

@simon yucky

@simon There's plenty of Google-only or $bigco special-case code in Chromium, unfortunately. IIUC they only implement things like this as last resort.

A lot of these predate modern Web APIs that provide access to the same data/functions, others are needed for complex auth stuff (like smartcards or zero-trust auth), others are needed by ChromeOS components for the OS to work. Many hardcoded allowlists are for third-party extensions by big companies for certain code paths.

@simon@fedi.simonwillison.net There's a list of methods you can try here:

https://chromium.googlesource.com/chromium/src.git/+/main/chrome/browser/resources/hangout_services/thunk.js

Also looks like the list was bigger in previous versions

@simon Hmm, the code doesn't do anything on Cromite (github.com/uazo/cromite), perhaps the extension is removed? Because the error I get is:
"VM68:1 Uncaught
TypeError: Cannot read properties of undefined (reading 'sendMessage')
at <anonymous>:1:16
(anonymous) @ VM68:1"

@simon oh google! dont you just hate them

@simon

That's officially malware, right?

@simon

I have no way to test this on desktop. /s

Does this misfeature exist on old chrome on Android?

I am guessing yes because likely Chrome always had a backdoor. But, maybe not.

@simon Microsoft tried to warn us. They told us we'd be scroogled. Now look at us? We've all been scroogled...

Ah well.

Firefox
https://www.mozilla.org
and list of Searx instances
https://searx.space/
go brrr

@simon I use firefox compiled on Gentoo Linux :)

@simon chrome is essentially a massive spy tool for Google to Hoover up all possible information on you.

@simon time to complain to the EU commission about their abuse of monopoly and power such that Google will force them to open access to those APIs to any site.

@simon Not knowing how '*' is implemented, I'm concerned that it might it used on other websites matching `*.google.com`, such as https://my.malevolence.site/.google.com.

@simon That is, of course, if one still has Chrome installed in the first place. Which... no one really should.

@simon

I got worried, and then I remembered that I had stopped using Chrome.

@simon For what it's worth, Edge is sufficiently 'Chromed' that it does the same there too ...
Although on a non-google site it offers me "Explain Console errors by using Copilot on Edge" :eyeroll:

@simon Yet another reason why NOBODY SHOULD BE USING THAT MULTICOLOURED PIECE OF SHIT!

@simon This also appears to be present in @Vivaldi

@simon Google signing : I am your backdoor man

@simon@fedi.simonwillison.net huuuuh. I wonder if Edge has an equivalent for Bing or MS domains?

(not that they’d technically need it, seeing as most people using Edge are also probably using Windows)

@simon I’m old enough to remember when Microsoft got consent decree’d for this sort of thing. I suppose that’s a quaint idea these days.

@simon

All the more reason to move all Google services under *.google.com instead of dedicated domains like gmail.com, etc

EDIT: @thomasp who is a sysadmin at Vivaldi has mentioned that this can be turned off in the Vivadi settings. See https://social.vivaldi.net/@thomasp/112758811705372022 for details.

@simon I can confirm this also works on @Vivaldi.

Vivaldi staff, is this the best place to report this to hopefully be fixed? Or is there a better place to do so?

@simon
That means #MicrosoftEdge too?

@simon

Don't Use Chrome.

@simon Not near a laptop ATM but does this CLI flag disable it --disable-component-extensions-with-background-pages

IME you can see most hidden Chrome extensions via chrome://system

@simon I'm just wondering how many things goes wrong on modern websites, if I set "*.google.com" and affiliated sites in Blocklist of my opnsense router 🤔

Google really belongs to the same category, like facebook and chinese toktik 😂

@simon for real, shut down that company... Too much control of the market. They literally can do whatever they want and people are pretty much forced to go along with it, because it's way too embeded in everyday tasks.

@simon whoa, didn't Microsoft get in trouble with hidden apis in the 90s? (although, Apple has a bunch now too... Ugh)

@simon
I've been slowly moving away from corporate software for just this reason

@simon Yes, works on chrome on Google pages. Fascinating! Thank you for sharing this!

@simon

That's a bit of a shocker. Neat technique though.

@simon Microsoft did this too, I hope Apple and Mozilla aren't doing it too...

@simon Interesting: ungoogled chromium (top) does not have the API, but regular chromium (bottom) _has_ it, too!

@simon I ain't like to speak unless I notice something is missing from a conversation. So let me say, FUCK THIS SHIT, FUCK THIS STUPID SHIT, AND FUCK THE PEOPLE WHO THOUGHT THIS WAS AN OKAY THING TO DO.

If you KNOW how to do this, you KNOW why it's important that you don't. Your boss tells you do this shit, ... maybe you see what happens if you let it rot in the backlog a bit 😇

@simon Default extensions are a place where Google has done some real damage to the web, and those of us working on platform have been grumpy for more than a decade that this and the Docs Offline nonsense continues to persist.

In both cases, it fell to other teams (not the Hangouts or Docs peeps) to build replacement APIs; e.g.:

https://chromestatus.com/feature/5597608644968448

@simon
"nkeimhogjdpnpccoofpliimaahmaaome!" I exclaimed, upon learning of this.

@simon

Chrome ✅ Chromium ✅ Vivaldi ❌

@simon Soooooo.... anyone still think that this was a good idea that browser companies all dumped their own engines and that all modern browsers nowadays use the same engine? Asking for a friend.

@simon

Article says "via chromium" implying it's in base chromium. Does @Vivaldi have this vulnerability as well?

@simon That is like an add for #Firefox or @Vivaldi ....

@simon

I'm not a programmer so I need everything explained to me like I'm a child.

@simon Can't help but wonder if UnGoogled Chromium has this taken care of...🤔 I'd like to hope so, but I can't assume.

@simon

Ungoogled Chromium seems safe from this

@simon @rmondello dang!

Hey @jon I assume Vivaldi doesn’t do this ?

@simon "nkeimhogjdpnpccoofpliimaahmaaome" ?!

What manner of code is this

@simon I tried to share the above link on my Facebook page and Facebook immediately flagged it as spam and removed it.

@simon As if there weren't enough reasons to *not* use Chrome.

@simon from what I've heard on the Xitter, this is mostly used to debug performance issues. What's scummy is that they only enable it on their domain, which comes off as anti-competitive.

I imagine they'll get in trouble with the court for this, because it's clearly giving them an unfair advantage.

@simon slightly off-topic, but is ChatGPT using imgur to host their pictures? This is what I see when I open your shared conversation

@simon I can confirm #Microsoft didn't remove this for #Edge
```
{
"value": {
"archName": "x86_64",
"features": [
"mmx",
"sse",
"sse2",
"sse3",
"ssse3",
"sse4_1",
"sse4_2",
"avx"
],
"modelName": "12th Gen Intel(R) Core(TM) i7-12800H",
"numOfProcessors": 20,
"processors": [ <cut>],
"temperatures": []
}
}
```
(tested with Edge 126.0.2592.87 on https://www.google.com)

@simon Oh Google, wasn't your motto "Don't be evil"?

@simon Interestingly, it works in Edge, but not Vivaldi.

@simon
Throws an error message here on Chromium from the Debian "testing" repository. I was logged into my gmail account while doing so.

@simon Why people use Chrome is just baffling. It's not even good apart from great raw numbers in JS benchmarks and that's it. You don't need Chrome to be logged into all their services at once as some seem to believe.

@simon I reckon it's used by reCaptcha and possibly Google sign in for detecting automated traffic, particularly as reCaptcha is loaded from google.com. I know lots of bot detection scripts query the chrome.runtime APIs but never understood why.

@simon Following people were surprised:

I stopped using Google services many years ago. I haven't "googled" anything in years.

@simon Just to confirm the command line flag does disable this extension e.g.

open -a "Google Chrome Canary" --args --disable-component-extensions-with-background-pages

One screenshot is with the flag, one as default

(Core Web Vitals Visualiser is an extension I installed rather than one that's bundled with Chrome)

@simon Huh. Having worked on a product that was in many ways a YouTube competitor, I can say that this would have been modestly useful. This seems relevant: https://www.americanbar.org/content/dam/aba/publications/antitrust/magazine/2023/vol-38-issue-1/antitrust-and-self-preferencing.pdf

@simon Hmm, my Chromium 126 does not even allow me to access the `chrome.runtime` API from any page. It is also mentioned that this API is for extensions and content scripts, aka not for plain pages.

@simon Dissappointed, but not surprised.

@simon I did a quick test round. It seems to be any chromium based browser. Brave as well as Edge has it. 😡

@simon note: as this is at the Chromium level it is also executable on Edge and other chromium based browsers

@simon If I disable this in Brave settings it removes the fingerprinting for that profile? The settings language in Brave suggests it might break sharing in other tools like Zoom (web only?) or Teams (web only?). Thanks!
Many of clients use Google products like Drive and Chat. So, sort of stuck often time. It's really too bad because many google products are useful that they have to muck it all up with their trust (as in confidence in and faith in) breaking practices.

@simon @Shamar did you really have to point out that you used a theft machine (“AI”) to write that short JS snippet?

Ah. From your profile, you’re a promoter of these theft machines. Byebye…