cross-posted from: lemmy.dbzer0.com/post/23752739
It baffles me that they sell Chrome as private and/or secure, and baffles me even more that people believe them.
Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage
Submitted 4 months ago by Andromxda@lemmy.dbzer0.com to technology@lemmy.world
https://fedi.simonwillison.net/@simon/112757810519145581
Comments
kakes@sh.itjust.works 4 months ago
sudo@lemmy.today 3 months ago
It baffles me people use chrome.
SorryQuick@lemmy.ca 3 months ago
Why? There was a time when chrome was significantly better, and most people hate change.
kworpy@lemm.ee 3 months ago
idk what to tell you if you’re still using chrome
GoogleSellsAds@sh.itjust.works 3 months ago
Or anything Google for that matter. I see a lot of praise on Lemmy for their Pixel phones, but it wouldn’t surprise me if they eventually find there was a backdoor in their firmware all this time. Yes of course, I can not prove that right now, but this news about Google Chrome isn’t news for no reason. Don’t trust anything Google if you care about privacy, it is literally their business model (selling targeted ads).
joel_feila@lemmy.world 3 months ago
Wrll you have to use a pixel phone to use graphene os
Emerald@lemmy.world 3 months ago
Well pretty much all computers have a backdoor to the CPU. That hasn’t been proven for Pixel phones though.
Andromxda@lemmy.dbzer0.com 3 months ago
I fucking hate Google and wouldn’t use any of their (proprietary) software, but Pixel phones are amazing. Hear me out, Google is the only phone manufacturer right now, that puts extensive hardware security features like MTE, a secure element, as well as a bunch of others in their phones. The Google Titan M2 is based on an open-source project called OpenTitan, and Google has even contributed their own changes upstream. It’s based on the open RISC-V architecture, and it’s the most complete and secure implementation of a secure element that you can find in an Android phone. The only thing that comes even close is the “Secure Enclave” in Apple ARM chips, that are used in modern iPhones, iPads and Macs. I understand the concern about a potential backdoor in the firmware, but that’s a valid concern with basically every CPU on the market right now. x86 are ARM are completely proprietary, so you can’t really trust any CPU based on one of these architectures. The old Google Titan M1 was based on ARM, Apple’s Secure Enclave is also based on ARM, as well as Snapdragon’s SPU (which is incomplete and insecure anyway). The Titan M2, being based on open hardware architecture and firmware, is the most trustworthy secure element, despite being made by Google. It includes features like Insider Attack Resistance, support for the Weaver API, Android StrongBox hardware keystore implementation and is used for a secure implementation of Android Verified Boot. GrapheneOS is free, open-source, and doesn’t use any proprietary Google apps/services by default. Although I hate Google, a Pixel with GrapheneOS is currently the best option for a secure smartphone.
ours@lemmy.world 3 months ago
ComeHereOrIHookYou@lemmy.world 3 months ago
This is hilarious! It even works on Edge, Vivaldi and even Brave 🤣
madis@lemm.ee 3 months ago
Vivaldi and Brave have the option to disable the Hangouts extension in settings, which should disable this.
As linked in the article, it is indeed used for “Hangouts” (Meet) troubleshooting.
ComeHereOrIHookYou@lemmy.world 3 months ago
This is good news since Vivaldi is my goto chromium browser (when I need to really use it)
Katana314@lemmy.world 3 months ago
I’ll admit, in several places I used Edge as an effort to have at least some layer of distrust between myself and Google. I’ll have to quit that though.
dejected_warp_core@lemmy.world 3 months ago
I like your style. I went looking and found “switchbar” which kinda/sorta eases this bouncing between browsers idea:
…google.com/…/klgpknafjlhnpkppfbihchgfebbdcomd
It’s not elegant, but it supports the workflow you suggest. I kind of like the idea of using Edge for google.com and Chrome for microsoft.com. I’m not optimizing my experience (it may in fact be very sub-optimal), but I’m also using competition to neutralize potential shenanigans.
solrize@lemmy.world 3 months ago
cupcakezealot@lemmy.blahaj.zone 3 months ago
such a sensationalist article there. mozilla isnt an advertising company, they bought a company that specialises in privacy focused ad campaigns so they can provide an alternative to google for companies.
which is what they should be doing.
ComeHereOrIHookYou@lemmy.world 3 months ago
Welp, might as well just use w3m 🤣
Gloria@sh.itjust.works 4 months ago
#UninstallChrome
Andromxda@lemmy.dbzer0.com 3 months ago
#SwitchToFirefox
victorz@lemmy.world 3 months ago
Here, you forgot this:
\
Scotty_Trees@lemmy.world [bot] 3 months ago
If you’re still using Google Chrome in 2024, you might be a moron. #Firefox
raspberriesareyummy@lemmy.world 3 months ago
I am slightly worried that there’s only a single option left. That’s only 1 organization’s corruption removed from total loss of control over browsing privacy :/
Scrollone@feddit.it 3 months ago
And Mozilla main source of income is… Google.
This is bad, very bad.
ILikeBoobies@lemmy.ca 3 months ago
There’s safari and pale moon
4am@lemm.ee 3 months ago
Remember when Google pushed for use of open standard in the browser to force Microsoft IE out of the market? Oh yeah I ‘member
paridoxical@lemmy.world 3 months ago
They have become the evil they once sought to combat.
dan@upvote.au 3 months ago
There’s a bunch of stuff in Chrome that’s special-cased to only allow Google to access it.
Not sure if it’s still there, but many years ago I was trying to figure out how to do something that some Google webapp was doing (can’t remember which one). I think it was something to do with popping up a chromeless window - that is, a new window with no address bar or browser chrome, just some HTML content.
Turns out the Chromium codebase had a hard-coded allowlist that only allowed
*.google.comto use the API!Gestrid@lemmy.ca 3 months ago
Are you talking about the “apps” that Chrome used to support? They removed the feature years ago to reduce bloat and RAM usage or something like that.
Before they removed the feature, I had actually figured out how to create my own “apps” that’d simply load webpages I visited often at the time, like Twitch.
QuantumStorm@lemmy.world 3 months ago
I don’t know why, but my head automatically put that as “the apps formerly support by Google” the same as “the artist formerly known as Prince”
dan@upvote.au 3 months ago
I found what I was talking about: stackoverflow.com/a/11614605
The apps feature is still there just with a different name. It’s labeled as “create shortcut”, and you have to check the box to open a new window. I use it just because Firefox doesn’t have a similar feature.
ZILtoid1991@lemmy.world 3 months ago
How long until it will be used as a backdoor to hack womeone’s PC?
gencha@lemm.ee 3 months ago
Chrome is the backdoor and you already installed it
ILikeBoobies@lemmy.ca 3 months ago
Seems google has already done that
rottingleaf@lemmy.zip 3 months ago
Negative number.
cubism_pitta@lemmy.world 4 months ago
Google does a lot of standards breaking things.
Like allowing a link on Google Apps Marketplace to open a new window (like popup) with POST instead of GET. (This pretty much ensures that buying an app will fail for browsers that follow the spec)
victorz@lemmy.world 3 months ago
This garbage behavior is in Chromium as well?
CriticalMiss@lemmy.world 3 months ago
Not a legal mastermind by a long shot but it seems like a DMA violation. Someone needs to get the EU on their ass.
victorz@lemmy.world 3 months ago
EU: [RELEASES THE HOUNDS]
bhamlin@lemmy.world 3 months ago
Just make sure it isn’t the Pomeranians this time
Suavevillain@lemmy.world 3 months ago
I will stick with using Firefox.
Andromxda@lemmy.dbzer0.com 3 months ago
That’s the way to go
Imgonnatrythis@sh.itjust.works 4 months ago
Ianal, but this sounds like something worthy of suing their ass over. There’s not much Google would respond to and good luck beating their lawyers, but the only language they speak is $, so please try to take as much as possible away from them for this garbage.
NutWrench@lemmy.world 3 months ago
I already ditched Windows for Linux a month ago because of spyware. Everything Google-related is next. My phone is going to be the hardest thing to de-infest.
flop_leash_973@lemmy.world 3 months ago
In my experience you either have to trade one devil for the other with Apple or accept buying hardware from the ad company so you can use GrapheneOS.
sugar_in_your_tea@sh.itjust.works 3 months ago
There are more options than GrapheneOS with broader device support, such as Calyx or LineageOS.
But if you use Android already, you can start by using F-Droid (or others) to install apps to find FOSS replacements for apps you use.
Trainguyrom@reddthat.com 3 months ago
You could always go the used/refurbished route to not directly give the chocolate factory money
enleeten@discuss.online 3 months ago
Kagi is a great replacement for Google search. It does cost money though.
Emerald@lemmy.world 3 months ago
Or you can take a Duck. Then get one more Duck. Then you can Go.
moonburster@lemmy.world 3 months ago
I kinda want to, but I’m also a sucker for ease of use
Tywele@lemmy.dbzer0.com 3 months ago
For ease of use Apple might be the most convenient alternative to Google. At least for smartphones.
Andromxda@lemmy.dbzer0.com 3 months ago
I already ditched Windows for Linux a month ago because of spyware.
Great!
Everything Google-related is next.
Even better.
My phone is going to be the hardest thing to de-infest.
If you plan on getting a new phone soon, I recommend a Google Pixel, on which you can install GrapheneOS. Yes, ironically Google devices are the best for installing alternative operating systems and removing all the Google BS. GrapheneOS is completely free and open source, and based on the Android Open Source Project. It incorporates many privacy and security enhancements, and gives you total freedom and control over your device. In my opinion, it’s the best option for degoogling a phone.
Emerald@lemmy.world 3 months ago
There is also Lineage OS. It’s not as secure but it is compatible with the most amount of devices.
nossaquesapao@lemmy.eco.br 3 months ago
Welcome to the world of freedom. The first months may be a bit uncomfortable, but it’s a journey worth taking. Be welcome!
asdfasdfasdf@lemmy.world 3 months ago
I’m also doing this. Proton is amazing, for the most part. Ente Photos is also incredible for ditching Google Photos, although I’ll probably switch to Proton Photos when that comes out since Ente is pricey.
pathief@lemmy.world 3 months ago
Isn’t proton photos built into their Proton Drive already? It’s implementation is… barebones… On Android but it works.
Tywele@lemmy.dbzer0.com 3 months ago
Or if you have the skills you can selfhost Immich which is an excellent replacement for Google Photos.
CheeseNoodle@lemmy.world 3 months ago
Honestly I just keep my phone as my designated privacy nightmare so I can get free phone calls on wifi and keep in touch with family members who are still on facebook.
jinarched@lemm.ee 3 months ago
Just use Firefox shrug
nutsack@lemmy.world 3 months ago
there’s a portion of the internet that just doesn’t work in Firefox because the company pays only $2 million a year for developers and they can’t do it
JaddedFauceet@lemmy.world 3 months ago
As part of our company’s security policy, our IT admin disallows firefox to be installed in dev machine.
our engineers cannot test their work in firefox.
LOL
Omgpwnies@lemmy.world 3 months ago
I’ve yet to find more than a handful of pages that have had issues, and most were fairly poorly coded to begin with
Andromxda@lemmy.dbzer0.com 3 months ago
Katana314@lemmy.world 3 months ago
My biggest issue is video streaming on older computers. I have an old laptop I use casually for video playing in the background, and Webkit browsers like Edge definitely load YouTube with far less stuttering. I’m still trying to find good alternatives - lately even changing the user agent doesn’t seem to make it faster.
empireOfLove2@lemmy.dbzer0.com 4 months ago
Hmmm, no way this could ever turn into a security hole, I’m sure of it.
fin@sh.itjust.works 3 months ago
“Don’t be evil”
atrielienz@lemmy.world 3 months ago
Not anymore.
powermaker450@discuss.tchncs.de 3 months ago
this just in: google is still spying on you in every way possible
alphapuggle@programming.dev 4 months ago
Uhh do we know if this extends to sites.google.com?
Andromxda@lemmy.dbzer0.com 3 months ago
You can check this yourself. Just paste this into the developer console:
chrome.runtime.sendMessage( "nkeimhogjdpnpccoofpliimaahmaaome", { method: "cpu.getInfo" }, (response) => { console.log(JSON.stringify(response, null, 2)); }, );
If you get a return like this, it means that the site has special access to these private, undocumented APIs
{ "value": { "archName": "arm64", "features": [], "modelName": "Apple M2 Max", "numOfProcessors": 12, "processors": [ { "usage": { "idle": 26890137, "kernel": 5271531, "total": 42525857, "user": 10364189 } }, ...
tal@lemmy.today 3 months ago
Not an area I’m familiar with, but this user says no:
news.ycombinator.com/item?id=40918052
lashkari 5 hours ago | prev | next [–]
If it’s really accessible from *.google.com, wouldn’t this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?
DownrightNifty 5 hours ago | parent | next [–]
JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.
_sideffect@lemmy.world 4 months ago
Why do people still use Chrome?
Please uninstall it from everyone’s home pc and phone that you come into contact with
VelvetStorm@lemmy.world 3 months ago
Can someone explain this to me like I’m 5. I understand it’s not good but I don’t know why and I would like to understand it.
T156@lemmy.world 3 months ago
Does this also affect Chromium, or is it just Google Chrome?
The article mentions it being affecting Google Chrome through Chromium, but it’s not clear if it also affects Chromium on its own, or other Chromium-based browsers.
trolololol@lemmy.world 3 months ago
This and the article are very light on details
My laptop, that I own and runs Linux that I installed, has chrome in it. I’m order to log into Gmail for work, it installs an extension that is capable of telling Gmail if my disk is encrypted. I know because you get an error message until my disk was actually encrypted. It was a big surprise to me, and I wonder if this is done by the same piece of code.
Btw would there be a way to do virtualization through perhaps docker or flat pack or chroot that can isolate chrome in a sandbox and prevent it from a) reading and writing files anywhere on any disk and b) get other data such as CPU, disk encryption etc?
faltryka@lemmy.world 4 months ago
Is this for malicious harvesting or is this part of their chrome device trust product for enterprises?
Holzkohlen@feddit.de 3 months ago
Refreshing change from reading about some new AI powered tracking nonsense in Windows.
mrvictory1@lemmy.world 4 months ago
Google Meet can show CPU usage, they aten’t trying to hide this.
hendrik@palaver.p3x.de 4 months ago
LibreWolf, Mull, Chromium, ...
crazyminner@lemmy.ml 4 months ago
Suprise Suprise!
vox@sopuli.xyz 3 months ago
i think it’s used for the performance testing feature in google meet n stuff
Andromxda@lemmy.dbzer0.com 4 months ago
Yet another reason to switch to Firefox, or even better, a hardened fork like LibreWolf
sigmaklimgrindset@sopuli.xyz 4 months ago
What functionality would I lose/gain if I switch from Firefox to Librewolf? I’m admittedly an amateur in the privacy space, and I’ve been pretty content with Firefox + Ublock and container tabs for different profiles, but I consistently get the issue that my browser fingerprint is pretty unique, and I have no idea how to or even if I can anonymize that anymore.
Imgonnatrythis@sh.itjust.works 4 months ago
Librewolf is not associated with Mozilla and does not receive their primary source of funding from Google like Mozilla does. I really like having the same browser and browser synchronization between my phone and desktop/laptop, so librewolf is out for me. They have no interest or resources to build an Android version. Waterfox does at least have desktop / android option and takes things at least one small step further away from Google.
Danitos@reddthat.com 3 months ago
Tangent note: I think browser fingerprinting is only a source of concern if you use VPN. Otherwise, your IP is already a good enough identifier, and quite likely doesn’t rotate often enough. Please someone correct me if I’m wrong.
Mkengine@feddit.de 3 months ago
Switching from Firefox to Librewolf has some pros and cons. Librewolf is a fork of Firefox focused on privacy and security, with telemetry stripped out and privacy settings maxed out by default. You’ll gain better out-of-the-box privacy protections, meaning less tracking and data collection without having to tweak settings yourself.
However, you might lose some convenience. Librewolf might not support certain Firefox features like Sync, since it relies on Mozilla’s servers (not sure about that point, maybe it does work). It can also break some websites due to the stricter privacy settings. Another thing to consider is that you won’t get updates as quickly as Firefox.
Regarding browser fingerprinting, it’s a tricky beast. Librewolf can help somewhat by making your fingerprint less unique, but it’s not a silver bullet. Tools like uBlock Origin and container tabs are great, but adding something like the CanvasBlocker extension can also help reduce fingerprinting. Ultimately, no setup is perfect, but Librewolf is a solid step towards better privacy.
calamitycastle@lemmy.world 4 months ago
Yes, why to do this?
TheGrandNagus@lemmy.world 3 months ago
Mostly it’s just FF but with more private defaults (that you can change in the settings trivially anyway), although there are one or two extras.
There is a potential issue, though. Librewolf runs behind, so security vulnerabilities, particularly for zero-day exploits, take longer to be patched.
PetroGuy@lemmy.ca 3 months ago
if it’s fingerprinting you care about, i’d give mullvad browser a try. it’s a firefox fork tailored to increase privacy and blend you into the crowd (as long as you don’t change any setting/install addons). it’s very very neat.