Technology

57415 readers

3371 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

1525

Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage (fedi.simonwillison.net)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

199 comments fedilink hide all child comments

cross-posted from: https://lemmy.dbzer0.com/post/23752739

https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 31 points 1 month ago (2 children)

Uhh do we know if this extends to sites.google.com?

[–] [email protected] 39 points 1 month ago

You can check this yourself. Just paste this into the developer console:

chrome.runtime.sendMessage(
  "nkeimhogjdpnpccoofpliimaahmaaome",
  { method: "cpu.getInfo" },
  (response) => {
    console.log(JSON.stringify(response, null, 2));
  },
);

If you get a return like this, it means that the site has special access to these private, undocumented APIs

{
  "value": {
    "archName": "arm64",
    "features": [],
    "modelName": "Apple M2 Max",
    "numOfProcessors": 12,
    "processors": [
      {
        "usage": {
          "idle": 26890137,
          "kernel": 5271531,
          "total": 42525857,
          "user": 10364189
        }
      }, ...

[–] [email protected] 21 points 1 month ago

Not an area I'm familiar with, but this user says no:

https://news.ycombinator.com/item?id=40918052

lashkari 5 hours ago | prev | next [–]

If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/)?

DownrightNifty 5 hours ago | parent | next [–]

JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.