It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage
You can test it out by pasting the following into your Chrome DevTools console on any Google page:
chrome.runtime.sendMessage(
"nkeimhogjdpnpccoofpliimaahmaaome",
{ method: "cpu.getInfo" },
(response) => {
console.log(JSON.stringify(response, null, 2));
},
);
More notes here: https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/
hangout_services/thunk.js
It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the `*.google.com` domains - tweeted about today [by Luca Casonato](https://twitter.simonwillison.net
reshared this
Daniel
in reply to Simon Willison • • •Simon Willison
in reply to Daniel • • •Zachary Wander :thonk:
in reply to Simon Willison • • •Jeff Triplett
in reply to Simon Willison • • •stefan
in reply to Simon Willison • • •skybrian
in reply to Simon Willison • • •obijuan
in reply to Simon Willison • • •Frederik Braun �
in reply to Simon Willison • • •Frederik Braun - How Firefox gives special permissions to some domains
Frederik Braunlfa
in reply to Simon Willison • • •jmjm
in reply to Simon Willison • • •Luna Lactea
in reply to Simon Willison • • •AlexTECPlayz
in reply to Simon Willison • • •"VM68:1 Uncaught
TypeError: Cannot read properties of undefined (reading 'sendMessage')
at <anonymous>:1:16
(anonymous) @ VM68:1"
Hunterrules
in reply to Simon Willison • • •Knud Jahnke
in reply to Simon Willison • • •Shadow06
in reply to Simon Willison • • •Julian Andres Klode 🏳️🌈
in reply to Simon Willison • • •Liminal witch 🧙♀️ Sarah
in reply to Simon Willison • • •Phoenix Gee 🥥🌴😸💃
in reply to Simon Willison • • •jz.tusk
in reply to Simon Willison • • •Stewart X Addison
in reply to Simon Willison • • •Although on a non-google site it offers me "Explain Console errors by using Copilot on Edge"
Edan Osborne 🏳️🌈🇺🇦🇵🇸
in reply to Simon Willison • • •JonathanS
in reply to Simon Willison • • •Hans-Cees 🍋
in reply to Simon Willison • • •John Socks
in reply to Simon Willison • • •Seems like we could have dueling audiences here. One set could say Google should not hog my system's resources. The other could say Google should not check my system's resources.
Hopes these are not the same people
Eli the Bearded
in reply to Simon Willison • • •Albano Hummel
in reply to Simon Willison • • •EDIT: @thomasp who is a sysadmin at Vivaldi has mentioned that this can be turned off in the Vivadi settings. See https://social.vivaldi.net/@thomasp/112758811705372022 for details.
@simon I can confirm this also works on @Vivaldi.
Vivaldi staff, is this the best place to report this to hopefully be fixed? Or is there a better place to do so?
Thomas Pike
2024-07-09 22:08:42
Thomas Pike
in reply to Albano Hummel • • •Andy Davies
in reply to Simon Willison • • •Not near a laptop ATM but does this CLI flag disable it --disable-component-extensions-with-background-pages
IME you can see most hidden Chrome extensions via chrome://system
jozefch
in reply to Simon Willison • • •I'm just wondering how many things goes wrong on modern websites, if I set "*.google.com" and affiliated sites in Blocklist of my opnsense router 🤔
Google really belongs to the same category, like facebook and chinese toktik 😂
Tritz
in reply to Simon Willison • • •Silvenga
in reply to Simon Willison • • •Old Man
in reply to Simon Willison • • •Demiurg
in reply to Simon Willison • • •Jim Donegan ✅
in reply to Simon Willison • • •gudenau
in reply to Simon Willison • • •Claudius
in reply to Simon Willison • • •gibeath
in reply to Simon Willison • • •I ain't like to speak unless I notice something is missing from a conversation. So let me say, FUCK THIS SHIT, FUCK THIS STUPID SHIT, AND FUCK THE PEOPLE WHO THOUGHT THIS WAS AN OKAY THING TO DO.
If you KNOW how to do this, you KNOW why it's important that you don't. Your boss tells you do this shit, ... maybe you see what happens if you let it rot in the backlog a bit 😇
Alex Russell
in reply to Simon Willison • • •Default extensions are a place where Google has done some real damage to the web, and those of us working on platform have been grumpy for more than a decade that this and the Docs Offline nonsense continues to persist.
In both cases, it fell to other teams (not the Hangouts or Docs peeps) to build replacement APIs; e.g.:
https://chromestatus.com/feature/5597608644968448
Chrome Platform Status
chromestatus.comForbearance
in reply to Simon Willison • • •Brokar
in reply to Simon Willison • • •AT-AT Assault 🏳️⚧️
in reply to Simon Willison • • •BeAware :veriweed:
in reply to Simon Willison • • •Ozzy
in reply to BeAware :veriweed: • • •I think most browsers and nearly all phones apps send this type of data to for profit analytic companies
Our law makers
BeAware :veriweed:
in reply to Ozzy • • •@ozzy Now I'm wanting a comparison of "phone home" data sent from our browsers without our knowledge. Someone get on it!
Resource usage is almost useless info, in my opinion. Don't see what they can do with that, that would be nefarious, maybe someone can enlighten me?
However, they can fuck off out of my apps via API. NOPE.
Are other browsers like FireFox really taking this info as well?😬
Ozzy
in reply to BeAware :veriweed: • • •James Bilsbrough
in reply to Simon Willison • • •@rmondello dang!
Hey @jon I assume Vivaldi doesn’t do this ?
rRonald rRedball
in reply to Simon Willison • • •"nkeimhogjdpnpccoofpliimaahmaaome" ?!
What manner of code is this
Simon Willison
in reply to rRonald rRedball • • •chromium/chrome/browser/resources/hangout_services/manifest_v3.json at 114ce7cc6f47e4d06bb8a5168e3ed2efd38fc0d6 · chromium/chromium
GitHubrRonald rRedball
in reply to Simon Willison • • •rRonald rRedball
in reply to Simon Willison • • •Simon Willison
in reply to rRonald rRedball • • •Pete Orrall
in reply to Simon Willison • • •Wattana
in reply to Simon Willison • • •from what I've heard on the Xitter, this is mostly used to debug performance issues. What's scummy is that they only enable it on their domain, which comes off as anti-competitive.
I imagine they'll get in trouble with the court for this, because it's clearly giving them an unfair advantage.
Tymscar :linux:
in reply to Simon Willison • • •Simon Willison
in reply to Tymscar :linux: • • •Tymscar :linux:
in reply to Simon Willison • • •Tobias Schmidl
in reply to Simon Willison • • •```
{
"value": {
"archName": "x86_64",
"features": [
"mmx",
"sse",
"sse2",
"sse3",
"ssse3",
"sse4_1",
"sse4_2",
"avx"
],
"modelName": "12th Gen Intel(R) Core(TM) i7-12800H",
"numOfProcessors": 20,
"processors": [ <cut>],
"temperatures":
[] }
}
```
(tested with Edge 126.0.2592.87 on https://www.google.com)
Google
www.google.comMoreno Colaiacovo
in reply to Simon Willison • • •Herr TurTur
in reply to Simon Willison • • •RejZoR
in reply to Simon Willison • • •OH3CUF
in reply to Simon Willison • • •Following people were surprised:
I stopped using Google services many years ago. I haven't "googled" anything in years.
Stefan
in reply to Simon Willison • • •Andy Davies
in reply to Simon Willison • • •Just to confirm the command line flag does disable this extension e.g.
open -a "Google Chrome Canary" --args --disable-component-extensions-with-background-pages
One screenshot is with the flag, one as default
(Core Web Vitals Visualiser is an extension I installed rather than one that's bundled with Chrome)
Adam Roach
in reply to Simon Willison • • •waldi
in reply to Simon Willison • • •Simon Willison
in reply to waldi • • •waldi
in reply to Simon Willison • • •Ryan Paaz
in reply to Simon Willison • • •Jolle Carlestam
in reply to Simon Willison • • •ES Michelson
in reply to Simon Willison • • •Many of clients use Google products like Drive and Chat. So, sort of stuck often time. It's really too bad because many google products are useful that they have to muck it all up with their trust (as in confidence in and faith in) breaking practices.
Tann
in reply to Simon Willison • • •friendly reminder that you need root access to fully remove Google from many android phones and tablets and that root access generally voids your warranty. That said, most warranties don't last longer than a couple years so if you've had your phone for 2 or more years then you likely have little to lose by ripping your *.google.com applications out and replacing them with much more secure applications.
If you don't want to do that, the paid version of #netguard can at least lock down your phone's network traffic app by app and web address by web address.