There’s a bunch of stuff in Chrome that’s special-cased to only allow Google to access it.
Not sure if it’s still there, but many years ago I was trying to figure out how to do something that some Google webapp was doing (can’t remember which one). I think it was something to do with popping up a chromeless window - that is, a new window with no address bar or browser chrome, just some HTML content.
Turns out the Chromium codebase had a hard-coded allowlist that only allowed
*.google.com
to use the API!Edit: my memory was a bit wrong. It was this: https://stackoverflow.com/a/11614605. The Hangouts extension was allowlisted to use the functionality, but if any other extension wanted to use it, the user had to enable an experimental setting.
Are you talking about the “apps” that Chrome used to support? They removed the feature years ago to reduce bloat and RAM usage or something like that.
Before they removed the feature, I had actually figured out how to create my own “apps” that’d simply load webpages I visited often at the time, like Twitch.
I don’t know why, but my head automatically put that as “the apps formerly support by Google” the same as “the artist formerly known as Prince”
I found what I was talking about: https://stackoverflow.com/a/11614605. It was a feature that the Hangouts extension could use, but the user had to manually enable it in the browser settings for any other extensions to use it.
The apps feature is still there just with a different name. It’s labeled as “create shortcut”, and you have to check the box to open a new window. I use it just because Firefox doesn’t have a similar feature.
Not a legal mastermind by a long shot but it seems like a DMA violation. Someone needs to get the EU on their ass.
EU: [RELEASES THE HOUNDS]
Just make sure it isn’t the Pomeranians this time
I had to look up what the Pomeranian dog breed is, because I’m not good with dog breeds. Soon as the page of images loaded I burst out laughing. 😆 Thank you. Good start to my day.
Glad to help. 😁 Get out there with that little dog energy.
lmao is been good so far. Have to make a long trip with the kids today, so it helped. ❤️
Make sure it isn’t just the Pomeranians. Some Pomeranians are definitely going to be in the mix.
Ok, I’m good with that.
Can someone explain this to me like I’m 5. I understand it’s not good but I don’t know why and I would like to understand it.
Effectively Google has a browser extension (just like the ones you’d install from the Chrome Web Store like uBlock Origin) that comes with the browser that’s hidden.
This extension allows Google to see additional information about your computer that extensions and websites don’t normally have access to, such as checking how much load your PC has or directly handing over hardware information like the make and model of your professor.
The big concern in the comments is that this could be used for fingerprinting your browser, even in Incognito mode.
What this essentially means is that even though the browser may not have any cookies saved or any other usual tracking methods, your browser can still be recognised by how it behaves on your machine in particular, and this hidden extension allows Google to retrieve additional information to further narrow down your browser and therefore who you are (as they can link this behaviour and data to when you’ve used Google with that browser signed in), even in Incognito mode.
So since they only just seem to have discovered this, does that mean this invisible extension also likely to be present on Chromium based browsers such as Brave and Thorium etc…?
Yes, though they could remove it. If they’re open source then you could check easily.
Thank you for this info. If this is just an extension, can we just uninstall it or turn it off?
This is not a typical extension and it cannot be removed. It doesn’t even show up in the list of installed extensions.
Maybe recompiling? But I suspect that Chrome as it is, is closed source?
Seems like a great option. Can anyone more familiar with the code confirm this removes the aforementioned CPU-fingerprinting plugin?
It does. You can even try it out yourself. Install Ungoogled Chromium, go to google.com and paste the following code in the Developer console (which you can bring up by pressing F12 and clicking on ‘Console’ at the top of the DevTools interface):
chrome.runtime.sendMessage( "nkeimhogjdpnpccoofpliimaahmaaome", { method: "cpu.getInfo" }, (response) => { console.log(JSON.stringify(response, null, 2)); }, );
If it returns nothing or an error, you’re good. If it returns something like this:
{ "value": { "archName": "arm64", "features": [], "modelName": "Apple M2 Max", "numOfProcessors": 12, "processors": [ { "usage": { "idle": 26890137, "kernel": 5271531, "total": 42525857, "user": 10364189 } }, ...
it means that the hidden extension is present, and *.google.com sites have special access in your browser.
Chromium is open source. Google Chrome is not open source.
even in Incognito mode.
I thought extensions don’t run in incognito mode?
I know Firefox doesn’t run them by default - you can specify which extensions you’d like to run in incognito mode.
I tested it with a stock install of chrome/windows 11. Works.
I thought extensions don’t run in incognito mode?
They don’t. Unless you check the box that allows them to. And I’m sure Google has already checked that box by default.
information like the make and model of your professor
Oh no, not my professor :( (/s)
Oh that’s a good typo, I’m leaving that! I look forward to the LLMs in 2030 telling you to watch the temps on your professor and make sure it doesn’t get exposed by Chrome.
Fingerprinting.
Bingo! Google wants to go cookieless and fingerprinting has been
one ofthe solvesI’ve always read about in the SEO world.
Is this for malicious harvesting or is this part of their chrome device trust product for enterprises?
WINK
No, as far as I know this has nothing to do with attestation/verification for enterprise users.
LibreWolf, Mull, Chromium, …
It’s apparently built into chromium
executing that command from the post returns the following on my Chromium:
VM68:1 Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage') at [HTML_REMOVED]:1:16 (anonymous) @ VM68:1
It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, but the code has been there in the public repo since October 2013 as far as I can tell.
It looks like it’s a way to let Google Hangouts (or presumably its modern predecessors) get additional information from the browser, including the current load on the user’s CPU. Update: On Hacker News a Googler confirms that the Google Meet “troubleshooting” feature uses this to review CPU utilization
The code doesn’t do anything on non-Google domains.
Maybe it’s because you tried it on a non Google site? Idk.
Hehe, I read that sentence, tried it on google.com
But forget what I said. I have the ungoogled variant of Chromium installed. No wonder that’s not in there…
If you’re still using Google Chrome in 2024, you might be a moron. #Firefox
I am “slightly” worried that there’s only a single option left. That’s only 1 organization’s corruption removed from total loss of control over browsing privacy :/
There’s safari and pale moon
And Mozilla main source of income is… Google.
This is bad, very bad.
Google pays them to be the default search. FF is like Steve Irwin, you could have been the biggest poacher, if you gave him money he would use it to buy land to help protect animals. FF is pulling the same thing but for the intetnet
so donate and change that
Does this also affect Chromium, or is it just Google Chrome?
The article mentions it being affecting Google Chrome through Chromium, but it’s not clear if it also affects Chromium on its own, or other Chromium-based browsers.
Chromium alone depends on if it’s the Google version or the Un-Googled version. For the Google version of Chromium, it still has that hangouts extension. However, the Un-Googled Chromium has that extension removed via the build flags, the one to note is
enable_hangout_services_extension=false
.As others have said though, it can also depend on what other Chromium-based is being used. Some browsers like Brave and including Vivaldi can have this turned off in the settings. Others like Edge and Opera are affected as well. However it doesn’t affect every Chromium-based browser.
It allegedly also affects Edge and Vivaldi, so it seems to be chromium not chrome
Just now tested in Vivaldi and it works, so yeah seems like Chromium 🥲
Chromium is also affected.
Doesn’t seem to work on cromite desktop (good)
I already ditched Windows for Linux a month ago because of spyware. Everything Google-related is next. My phone is going to be the hardest thing to de-infest.
Honestly I just keep my phone as my designated privacy nightmare so I can get free phone calls on wifi and keep in touch with family members who are still on facebook.
In my experience you either have to trade one devil for the other with Apple or accept buying hardware from the ad company so you can use GrapheneOS.
There are more options than GrapheneOS with broader device support, such as Calyx or LineageOS.
But if you use Android already, you can start by using F-Droid (or others) to install apps to find FOSS replacements for apps you use.
Searching for “Calyx” got me a lot of results that had nothing to do with the Android ROM, so for the convenience of anyone else reading this thread their URL is https://calyxos.org/
Thank you
You could always go the used/refurbished route to not directly give the chocolate factory money
I kinda want to, but I’m also a sucker for ease of use
For ease of use Apple might be the most convenient alternative to Google. At least for smartphones.
Ease of use and apple are not near each other in my dictionary.
I think a lot of things are designed very unlogical
That might be because you are just not used to it. Comparable to the switch from Windows to Linux.
I’m using Linux and tried different distros. I also used chrome os and windows Phone. I tried ios, hence my feelings towards it
And many people tried Linux and were having difficulties adapting to it at first and most probably gave up. Just like you did with iOS.
Pff, sure buddy. Used it for 4 months due to my phone being dead. Go shill someone else. If the adoption of a new os goes against what I want of said os, then it’s not an os for me. Simple as that
Welcome to the world of freedom. The first months may be a bit uncomfortable, but it’s a journey worth taking. Be welcome!
I’m also doing this. Proton is amazing, for the most part. Ente Photos is also incredible for ditching Google Photos, although I’ll probably switch to Proton Photos when that comes out since Ente is pricey.
Isn’t proton photos built into their Proton Drive already? It’s implementation is… barebones… On Android but it works.
It is, but I’d barely consider it a launch of anything. It displays photos, but that’s it. I could already upload and view photos on Proton Drive before they “launched” this.
Or if you have the skills you can selfhost Immich which is an excellent replacement for Google Photos.
Kagi is a great replacement for Google search. It does cost money though.
Or you can take a Duck. Then get one more Duck. Then you can Go.
I already ditched Windows for Linux a month ago because of spyware.
Great!
Everything Google-related is next.
Even better.
My phone is going to be the hardest thing to de-infest.
If you plan on getting a new phone soon, I recommend a Google Pixel, on which you can install GrapheneOS. Yes, ironically Google devices are the best for installing alternative operating systems and removing all the Google BS. GrapheneOS is completely free and open source, and based on the Android Open Source Project. It incorporates many privacy and security enhancements, and gives you total freedom and control over your device. In my opinion, it’s the best option for degoogling a phone.
There is also Lineage OS. It’s not as secure but it is compatible with the most amount of devices.
Unfortunately LineageOS is highly insecure because there’s no ability to lock the bootloader, and Android Verified Boot is completely missing. These are just the biggest and most obvious flaws in Lineage, but there are more: https://madaidans-insecurities.github.io/android.html#lineageos
Android is a very secure system, but that comes with some compromises such as customizability and development features. Both of which are important to the Lineage OS project. Also running Lineage OS is not any more insecure then running a Linux or Windows desktop without secure boot, which many people do without issue
Ianal, but this sounds like something worthy of suing their ass over. There’s not much Google would respond to and good luck beating their lawyers, but the only language they speak is $, so please try to take as much as possible away from them for this garbage.
Why do people still use Chrome?
Please uninstall it from everyone’s home pc and phone that you come into contact with
Because it’s fast and works well enough to keep the fame acquired over the last 10 years.
At the cost of zero privacy, data being stolen and other fundamental issues and morals that Google lacks.
Which is invisible to users, meaning they can ignore it or handwave it with “I haven’t got anything to hide”.
Or worse, “They already know everything about me, so why bother?”. One of my relatives says this. Kill me now.
Slower than Firefox
I’m a Firefox user on desktop and mobile, and I definitely feel like Chrome is faster on both platforms when I (have to) use it. But I prefer Firefox for the ideology and dev tools (on desktop), since I’m a web developer by trade, so the dev tools make a big difference for me.
I use both for my job and my subjective feeling is that chrome is faster. Js benchmarks seems to confirm it. Privately I use Firefox 95% of the time but I understand people who stay on chrome just out of inertia.
There was a short period a few years ago after the Quantum update that I would have partially agreed, because Firefox’s renderer was much smoother. But Chrome seems to have caught up, because it’s been much faster every time I test something in it in the yesrs since.
Google does a lot of standards breaking things.
Like allowing a link on Google Apps Marketplace to open a new window (like popup) with POST instead of GET. (This pretty much ensures that buying an app will fail for browsers that follow the spec)
This garbage behavior is in Chromium as well?
Refreshing change from reading about some new AI powered tracking nonsense in Windows.
Google Meet can show CPU usage, they aten’t trying to hide this.
How long until it will be used as a backdoor to hack womeone’s PC?
Chrome is the backdoor and you already installed it
Negative number.
Seems google has already done that
I will stick with using Firefox.
That’s the way to go