Email or username:

Password:

Forgot your password?
Simon Willison

It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage

You can test it out by pasting the following into your Chrome DevTools console on any Google page:

chrome.runtime.sendMessage(
"nkeimhogjdpnpccoofpliimaahmaaome",
{ method: "cpu.getInfo" },
(response) => {
console.log(JSON.stringify(response, null, 2));
},
);

More notes here: simonwillison.net/2024/Jul/9/h

161 comments
Daniel

@simon Interesting! Can this perhaps be used for fingerprinting? ๐Ÿ‘€

Simon Willison

@djh yeah, I imagine the fingerprinting risk is why they don't expose this functionality to everyone else

Vo

@wander1236 @simon @djh Also did you know Google has a subdomain called "stalk.google.com"

Jeff Triplett

@simon @djh I thought it was already established that Google fingerprints you via your account. I think making it private to them keeps others from using it for fingerprinting, but I apologize if I'm missing the point.

Timo Zimmermann

@webology @simon @djh I think the interesting part will be when Europe looks at this and invokes the DMA which should AFAIK apply here.

If this would be the case and if they would rule to open it up for everyone not just the company who already got all your data will be using it. :/

Timo Zimmermann

@SiteRelEnby while Iโ€™d obviously prefer that I honestly donโ€™t see Google make an ethical decision at this point :/

Dan Herbert

@webology I think a major problem here is that the same API also works in Incognito mode. This would allow Google to fingerprint you even if signed out of your account and track you across incognito sessions.

And that's not to mention the fact that the API works even if you're signed out of a Google account so fingerprinting can be performed even without an account.

stefan

@simon But why would Google themselves need it for fingerprint given that the control the whole browser? Or do you mean "they need it for something else but it could be used for fingerprinting by others"? @djh

Rairii

@simon does that mean other extensions that can modify data on *.google.com can also use that extension?

skybrian

@simon Good find! The next step will be to figure out how itโ€™s used. On which websites is the extension called?

AlexTECPlayz

@freddy @simon Well, at least in Firefox's case it doesn't seem to give an unfair advantage to Mozilla or something.

alexanderadam

@freddy @simon the Firefox features make sense though, don't they? ๐Ÿค”

lfa

@simon It works also with brave browser @brave

Morgan

@lfa @simon @brave presumably because Brave is a Chromium browser. So it seems plausible that this is the case for not only Chrome, but also almost every other browser because most browsers are just Chrome with extra steps ๐Ÿ˜”

lfa

@raphaelmorgan @simon @brave

That's the reason I mentioned brave, to let them know of the issue so they can take the step to prevent this.

Morgan

@lfa it appears you have more faith in them than I do, but good idea to at least let them know

Normal :jo_2: :v_enby:

@simon i can confirm this also works in chromium, where it is enabled in Arc Browser

Akkana Peck

@ShadowJonathan @simon It didn't work for me in a chromium incognito window.

Normal :jo_2: :v_enby:

@akkana @simon you need to do it on a google.com website

Akkana Peck

@ShadowJonathan @simon I was on google.com. Not signed in, though; maybe it only works if you're signed in to a Google account? The error message is: Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage') at <anonymous>:1:16

That's from the console I get with from "Inspect" in the context menu, then Console. If I use the hamburger menu More Tools->Developer Tools console, I get: Uncaught TypeError: chrome.runtime.sendMessage is not a function at <anonymous>:1:16

Terci

@akkana @ShadowJonathan @simon

Funny.

I saw the same error, at first.

Turns out I had to be literally be on google.com, not a blank tab that shows a google search box. I'm not signed in to anything and it worked.

Terci

@akkana @ShadowJonathan @simon I haven't updated lately, maybe they snuck it out?
Maybe it's because I'm on windows?

Akkana Peck

@Terci @ShadowJonathan @simon I typed google.com into the urlbar and hit return; the urlbar shows "google.com" but if I copy it it pastes as google.com/ which seems about as googly as I can get.

I'm using chromium from Debian unstable's package; the about box says Version 126.0.6478.126 (Official Build) built on Debian trixie/sid, running on Debian trixie/sid (64-bit)

Possibly Debian is doing something that disables this extension?

Terci

@akkana @ShadowJonathan @simon Good for debian then lol
I really should switch my daily OS

jmjm

@simon isn't this just the "I agree to share usage metric" EUA we all clicked through? Or is this running even if we unselected that checkbox?

Alesandro Ortiz ๐Ÿ‡ต๐Ÿ‡ท๐Ÿณ๏ธโ€๐ŸŒˆ

@simon There's plenty of Google-only or $bigco special-case code in Chromium, unfortunately. IIUC they only implement things like this as last resort.

A lot of these predate modern Web APIs that provide access to the same data/functions, others are needed for complex auth stuff (like smartcards or zero-trust auth), others are needed by ChromeOS components for the OS to work. Many hardcoded allowlists are for third-party extensions by big companies for certain code paths.

Magnus Ahltorp

@AlesandroOrtiz @simon But either itโ€™s ok for general consumption, and then it should be allowed everywhere, or itโ€™s not ok for general consumption, and then it shouldnโ€™t be allowed for Google domains either.

Why should Google domains be treated differently when it comes to smartcard access? And why should Google get a pass on updating their code to newer APIs when everyone else is forced to?

AlexTECPlayz

@simon Hmm, the code doesn't do anything on Cromite (github.com/uazo/cromite), perhaps the extension is removed? Because the error I get is:
"VM68:1 Uncaught
TypeError: Cannot read properties of undefined (reading 'sendMessage')
at <anonymous>:1:16
(anonymous) @ VM68:1"

AlexTECPlayz

@simon It's such a 'mundane' thing to have a built-in advantage over your competitors when you're working at Google...๐Ÿค”

Who gives a fuck about fairness, amirite?

Hunterrules

@simon oh google! dont you just hate them

SpaceLifeForm

@simon

I have no way to test this on desktop. /s

Does this misfeature exist on old chrome on Android?

I am guessing yes because likely Chrome always had a backdoor. But, maybe not.

Thor A. Hopland

@simon Microsoft tried to warn us. They told us we'd be scroogled. Now look at us? We've all been scroogled...

Ah well.

Firefox
mozilla.org
and list of Searx instances
searx.space/
go brrr

Stu

@jilotta @hopland Any sense of when we might get an Android LibreWolf build? Or Raspberry Pi?

Shadow06

@simon I use firefox compiled on Gentoo Linux :)

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@simon time to complain to the EU commission about their abuse of monopoly and power such that Google will force them to open access to those APIs to any site.

Liminal witch ๐Ÿง™โ€โ™€๏ธ Sarah

@simon Not knowing how '*' is implemented, I'm concerned that it might it used on other websites matching `*.google.com`, such as my.malevolence.site/.google.co.

shadowwwind

@xgebi @simon usually extension permissions only affext the host name, so everything before the first /

DELETED

@simon That is, of course, if one still has Chrome installed in the first place. Which... no one really should.

jz.tusk

@simon

I got worried, and then I remembered that I had stopped using Chrome.

Stewart X Addison

@simon For what it's worth, Edge is sufficiently 'Chromed' that it does the same there too ...
Although on a non-google site it offers me "Explain Console errors by using Copilot on Edge" :eyeroll:

Kelson

@jsparknz @simon @Vivaldi I did some testing and found that you can disable it in Vivaldi by turning off the Google Meet support in Vivaldi's Privacy and Security settings.

https://notes.kvibber.com/@kelson/statuses/01J2CQHARWXZ957D8RJ2Z4NNRH

Mine was already turned off, but I don't know what the default is, since I installed it so long ago and don't remember what settings I changed at the time.

Emmy - Dial Tone *biiiiip*

@kelson @jsparknz @simon @Vivaldi oh noooo! This has to go. I really don't want to switch back to Firefox from Vivaldi again.

JonathanS

@sillyCoelophysis @kelson @simon @Vivaldi I myself am just in the process of testing the waters for a possible switch from Firefox to Vivaldi. This kind of hidden surprise doesn't give me good vibes!

Emmy - Dial Tone *biiiiip*

@jsparknz @kelson @simon @Vivaldi Vivaldi seems to be much more trustworthy than Mozilla. While they're far from the worst of all the browser makers, Mozilla has done quite a few questionable things that make me uncomfortable about using their software.

The fact that Vivaldi uses chromium has been my only issue with them. As long as they are willing to mitigate these flaws, which they've shown to be in the past, they're my first choice.

Plus, the features! Workspaces, tiling, customization.๐Ÿคค

JonathanS

@kelson @simon @Vivaldi Thank you for sharing that. I tried it out and turning it off works. It does seem to me something that should be off by default, though.

Hans-Cees

@simon Google signing : I am your backdoor man

Asta [AMP]

@simon@fedi.simonwillison.net huuuuh. I wonder if Edge has an equivalent for Bing or MS domains?

(not that theyโ€™d technically need it, seeing as most people using Edge are also probably using Windows)

The Witch of Crow Briar

@simon Iโ€™m old enough to remember when Microsoft got consent decreeโ€™d for this sort of thing. I suppose thatโ€™s a quaint idea these days.

Eli the Bearded

@simon

All the more reason to move all Google services under *.google.com instead of dedicated domains like gmail.com, etc

[DATA EXPUNGED]
Andy Davies

@simon Not near a laptop ATM but does this CLI flag disable it --disable-component-extensions-with-background-pages

IME you can see most hidden Chrome extensions via chrome://system

chjara
@simon seems to be patched out on ungoogled chromium
jozefch

@simon I'm just wondering how many things goes wrong on modern websites, if I set "*.google.com" and affiliated sites in Blocklist of my opnsense router ๐Ÿค”

Google really belongs to the same category, like facebook and chinese toktik ๐Ÿ˜‚

jan-leila

@jozefch @simon why did you feel the need to specify Chinese here? They arnt bad because they are a Chinese company they are bad because they are a big tech company and by definition have profit incentives that are harmful to their users

Tritz

@simon for real, shut down that company... Too much control of the market. They literally can do whatever they want and people are pretty much forced to go along with it, because it's way too embeded in everyday tasks.

Silvenga

@simon whoa, didn't Microsoft get in trouble with hidden apis in the 90s? (although, Apple has a bunch now too... Ugh)

Old Man

@simon
I've been slowly moving away from corporate software for just this reason

Demiurg

@simon Yes, works on chrome on Google pages. Fascinating! Thank you for sharing this!

Jim Donegan โœ…

@simon

That's a bit of a shocker. Neat technique though.

gudenau

@simon Microsoft did this too, I hope Apple and Mozilla aren't doing it too...

Claudius

@simon Interesting: ungoogled chromium (top) does not have the API, but regular chromium (bottom) _has_ it, too!

Steffo
@simon Seems like this is happening on @Vivaldi as well; can you folks have a look at it?
gibeath

@simon I ain't like to speak unless I notice something is missing from a conversation. So let me say, FUCK THIS SHIT, FUCK THIS STUPID SHIT, AND FUCK THE PEOPLE WHO THOUGHT THIS WAS AN OKAY THING TO DO.

If you KNOW how to do this, you KNOW why it's important that you don't. Your boss tells you do this shit, ... maybe you see what happens if you let it rot in the backlog a bit ๐Ÿ˜‡

Alex Russell

@simon Default extensions are a place where Google has done some real damage to the web, and those of us working on platform have been grumpy for more than a decade that this and the Docs Offline nonsense continues to persist.

In both cases, it fell to other teams (not the Hangouts or Docs peeps) to build replacement APIs; e.g.:

chromestatus.com/feature/55976

Alex Russell

@mitch You know how we spent years building Service Workers and Background Sync and Periodic Background Sync and fixing storage quotas for large-volume offline data?

Um, yeah. About that (latest dev channel, fresh profile):

Alex Russell

@mitch On by default, works only on Google properties, and "works around" the limits of the web platform *that we put in place to meaningfully safeguard user battery and storage and bandwidth*. At least it's not buried in `chrome://system` like the CPU monitoring extension is, but no less self-preferencing for it.

Alex Russell

@mitch The tragedy in both instances is that the teams that dropped turds in Chrome have faced no pressure to move to open, interoperable APIs, meaning other browsers (including other Chromium ecosystem browsers) feel forced to include them to make sure that Google's very popular web properties "work right".

This also keeps web APIs from advancing because teams that would push them forward already have theirs, Jack. It's not Android levels of bad, but it's bad.

Mitch Effendi (ู…ูŠุชุด ุฃูู†ุฏูŠ)

@slightlyoff woah. Thanks for sharing. I was aware of the volume size b/c of my runaway cache at work but the rest was news to me.

d@nny "disc@" mcยฒ

@slightlyoff @mitch what does this screenshot demonstrate? that docs offline is preinstalled?

d@nny "disc@" mcยฒ

@slightlyoff @mitch how does it work around web APIs? are you saying it's able to do so because it's preinstalled instead of being a real extension?

Alex Russell

@hipsterelectron @mitch Yes, it's pre-installed, and it's using Extensions capabilities (superpowers) to do high frequency data sync and other things that should be left to the browser's default heuristics about which sites you use most.

Forbearance

@simon
"nkeimhogjdpnpccoofpliimaahmaaome!" I exclaimed, upon learning of this.

kravietz ๐Ÿฆ‡

@simon

Chrome โœ… Chromium โœ… Vivaldi โŒ

Brokar

@simon Soooooo.... anyone still think that this was a good idea that browser companies all dumped their own engines and that all modern browsers nowadays use the same engine? Asking for a friend.

AT-AT Assault :verifiedtrans:

@simon

Article says "via chromium" implying it's in base chromium. Does @Vivaldi have this vulnerability as well?

hazy

@simon

I'm not a programmer so I need everything explained to me like I'm a child.

BeAware :fediverse:

@simon Can't help but wonder if UnGoogled Chromium has this taken care of...๐Ÿค” I'd like to hope so, but I can't assume.

Ozzy

@BeAware@social.beaware.live @simon@fedi.simonwillison.net
I think most browsers and nearly all phones apps send this type of data to for profit analytic companies

Our law makers โ€‹:blobcatsleep:โ€‹

James Bilsbrough

@simon @rmondello dang!

Hey @jon I assume Vivaldi doesnโ€™t do this ?

rRonald rRedball

@simon "nkeimhogjdpnpccoofpliimaahmaaome" ?!

What manner of code is this

rRonald rRedball

@simon I tried to share the above link on my Facebook page and Facebook immediately flagged it as spam and removed it.

Pete Orrall

@simon As if there weren't enough reasons to *not* use Chrome.

Wattana

@simon from what I've heard on the Xitter, this is mostly used to debug performance issues. What's scummy is that they only enable it on their domain, which comes off as anti-competitive.

I imagine they'll get in trouble with the court for this, because it's clearly giving them an unfair advantage.

Tymscar :linux:

@simon slightly off-topic, but is ChatGPT using imgur to host their pictures? This is what I see when I open your shared conversation

Simon Willison

@Tymscar something has gone very wrong there - shouldn't be any images in that post at all, it looks like this for me

Tobias Schmidl

@simon I can confirm #Microsoft didn't remove this for #Edge
```
{
"value": {
"archName": "x86_64",
"features": [
"mmx",
"sse",
"sse2",
"sse3",
"ssse3",
"sse4_1",
"sse4_2",
"avx"
],
"modelName": "12th Gen Intel(R) Core(TM) i7-12800H",
"numOfProcessors": 20,
"processors": [ <cut>],
"temperatures": []
}
}
```
(tested with Edge 126.0.2592.87 on google.com)

[DATA EXPUNGED]
็ฟ ๆ˜Ÿ็Ÿณ
@simon >how google chrome is chock full of spyware is meant to be a surprise.
DELETED

@simon
Throws an error message here on Chromium from the Debian "testing" repository. I was logged into my gmail account while doing so.

RejZoR

@simon Why people use Chrome is just baffling. It's not even good apart from great raw numbers in JS benchmarks and that's it. You don't need Chrome to be logged into all their services at once as some seem to believe.

Paul Adams

@simon I reckon it's used by reCaptcha and possibly Google sign in for detecting automated traffic, particularly as reCaptcha is loaded from google.com. I know lots of bot detection scripts query the chrome.runtime APIs but never understood why.

OH3CUF

@simon Following people were surprised:

I stopped using Google services many years ago. I haven't "googled" anything in years.

Andy Davies

@simon Just to confirm the command line flag does disable this extension e.g.

open -a "Google Chrome Canary" --args --disable-component-extensions-with-background-pages

One screenshot is with the flag, one as default

(Core Web Vitals Visualiser is an extension I installed rather than one that's bundled with Chrome)

Adam Roach

@simon Huh. Having worked on a product that was in many ways a YouTube competitor, I can say that this would have been modestly useful. This seems relevant: americanbar.org/content/dam/ab

waldi

@simon Hmm, my Chromium 126 does not even allow me to access the `chrome.runtime` API from any page. It is also mentioned that this API is for extensions and content scripts, aka not for plain pages.

TSource Engine Query
@simon is this surprising?
That's pretty much expected from Google.
Ryan Paaz

@simon Dissappointed, but not surprised.

Jolle

@simon I did a quick test round. It seems to be any chromium based browser. Brave as well as Edge has it. ๐Ÿ˜ก

Rafa Guillermo

@simon note: as this is at the Chromium level it is also executable on Edge and other chromium based browsers

ES Michelson

@simon If I disable this in Brave settings it removes the fingerprinting for that profile? The settings language in Brave suggests it might break sharing in other tools like Zoom (web only?) or Teams (web only?). Thanks!
Many of clients use Google products like Drive and Chat. So, sort of stuck often time. It's really too bad because many google products are useful that they have to muck it all up with their trust (as in confidence in and faith in) breaking practices.

mirabilos

@simon @Shamar did you really have to point out that you used a theft machine (โ€œAIโ€) to write that short JS snippet?

Ah. From your profile, youโ€™re a promoter of these theft machines. Byebyeโ€ฆ

Tann

@simon friendly reminder that you need root access to fully remove Google from many android phones and tablets and that root access generally voids your warranty. That said, most warranties don't last longer than a couple years so if you've had your phone for 2 or more years then you likely have little to lose by ripping your *.google.com applications out and replacing them with much more secure applications.

If you don't want to do that, the paid version of #netguard can at least lock down your phone's network traffic app by app and web address by web address.

@simon friendly reminder that you need root access to fully remove Google from many android phones and tablets and that root access generally voids your warranty. That said, most warranties don't last longer than a couple years so if you've had your phone for 2 or more years then you likely have little to lose by ripping your *.google.com applications out and replacing them with much more secure applications.

Go Up