Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

Andromxda 🇺🇦🇵🇸🇹🇼 · edit-2 1 year ago

Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

Nate · 1 year ago

Uhh do we know if this extends to sites.google.com?

Andromxda 🇺🇦🇵🇸🇹🇼 · 1 year ago

You can check this yourself. Just paste this into the developer console:

chrome.runtime.sendMessage(
  "nkeimhogjdpnpccoofpliimaahmaaome",
  { method: "cpu.getInfo" },
  (response) => {
    console.log(JSON.stringify(response, null, 2));
  },
);

If you get a return like this, it means that the site has special access to these private, undocumented APIs

{
  "value": {
    "archName": "arm64",
    "features": [],
    "modelName": "Apple M2 Max",
    "numOfProcessors": 12,
    "processors": [
      {
        "usage": {
          "idle": 26890137,
          "kernel": 5271531,
          "total": 42525857,
          "user": 10364189
        }
      }, ...

@tal@lemmy.today · 1 year ago

Not an area I’m familiar with, but this user says no:

https://news.ycombinator.com/item?id=40918052

lashkari 5 hours ago | prev | next [–]

If it’s really accessible from *.google.com, wouldn’t this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

DownrightNifty 5 hours ago | parent | next [–]

JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.

Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

Simon Willison (@simon@simonwillison.net)