Skip Navigation

Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage

fedi.simonwillison.net

Simon Willison (@simon@simonwillison.net)

199 comments
  • Uhh do we know if this extends to sites.google.com?

    • You can check this yourself. Just paste this into the developer console:

       
          
      chrome.runtime.sendMessage(
        "nkeimhogjdpnpccoofpliimaahmaaome",
        { method: "cpu.getInfo" },
        (response) => {
          console.log(JSON.stringify(response, null, 2));
        },
      );
      
        

      If you get a return like this, it means that the site has special access to these private, undocumented APIs

       
          
      {
        "value": {
          "archName": "arm64",
          "features": [],
          "modelName": "Apple M2 Max",
          "numOfProcessors": 12,
          "processors": [
            {
              "usage": {
                "idle": 26890137,
                "kernel": 5271531,
                "total": 42525857,
                "user": 10364189
              }
            }, ...
      
      
        
    • Not an area I'm familiar with, but this user says no:

      https://news.ycombinator.com/item?id=40918052

      lashkari 5 hours ago | prev | next [–]

      If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/

      <sitename>

      )?

      DownrightNifty 5 hours ago | parent | next [–]

      JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.

  • Refreshing change from reading about some new AI powered tracking nonsense in Windows.

199 comments