Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

submitted by
edited

https://fedi.simonwillison.net/@simon/112757810519145581

cross-posted from: https://lemmy.dbzer0.com/post/23752739

https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/

198
1.5k
1

Back to main discussion

[any]

LibreWolf, Mull, Chromium, ...

 reply
9

It's apparently built into chromium

 reply
4
[any] edited

executing that command from the post returns the following on my Chromium:

VM68:1 Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage')
    at [HTML_REMOVED]:1:16
(anonymous) @ VM68:1
 reply
2

It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, but the code has been there in the public repo since October 2013 as far as I can tell.

It looks like it's a way to let Google Hangouts (or presumably its modern predecessors) get additional information from the browser, including the current load on the user's CPU. Update: On Hacker News a Googler confirms that the Google Meet "troubleshooting" feature uses this to review CPU utilization

The code doesn't do anything on non-Google domains.

Maybe it's because you tried it on a non Google site? Idk.

 reply
4
[any]

Hehe, I read that sentence, tried it on google.com

But forget what I said. I have the ungoogled variant of Chromium installed. No wonder that's not in there...

 reply
4
Insert image