Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What has an hidden API where? I have no idea what this is trying to say. Can anyone make sense of it?


If correct, once you access a `.google.com` website, the browser makes available through javascript an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website) and can send the collected information to the "mother ship".

If true, as usually, a lot of people have a Google tab open, you can easily deduct what it means.

This is definitely something to be investigated, for the moment, we only have a tweet.


> an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website)

No. It uses the chrome.system.cpu API, that any extension can access, which gives CPU and RAM utilization info about your tabs. It doesn't give anyone "a lot of information about all the open tabs", and does nothing to expose your banking website...

https://developer.chrome.com/docs/extensions/reference/api/s...


https://source.chromium.org/chromium/chromium/src/+/main:chr...

That API is baked into Google Chrome. It's hardcoded to only let google.com use it.


I don't think that is an accurate description. The APIs are available in Chrome to anyone: https://developer.chrome.com/docs/extensions/reference/api/s...

The allowlisting going on here is that normally when you install an extension in Chrome it asks you to confirm the access to those APIs on the sites where the extension wants to run, but this one comes pre-confirmed from the factory. A quick GitHub search finds ~1000 manifest files that list system.cpu, possibly because that API is also in the boilerplate example chrome extension manifest.


That's still just as unfair, though. Google always has access to that information because their extension is preinstalled and you can't disable it, but other websites have no access to that information unless you go out of your way to install a third-party extension to do so.


OK. That's a point of view. I just thought it should be accurately described.

I think the idea that you will download a web browser from Google and then it won't be able to figure out what model of CPU it is running on is a bit weird, when you think it through. There are lots of features of Chrome that are only "available to Google" for example it will only download updates from Google, unless you've modified its source code.


I mean... You downloaded the browser from Google. Did you think Google wouldn't have some kind of privileged access to it?


Google would naturally have privileged access to the browser, but that doesn't need to mean they have secret privileged access to my computer's hardware


Uhm... you do know Chrome runs on your hardware and has full permission to do pretty much whatever it likes?


That is the source code of Chromium, not Chrome.


Websites hosted on the google.com domain can access more data about the device than websites hosted on any other domain.


Google allows web pages from *.google.com to read a user's cpu usage, gpu usage, etc.

Other web pages don't have such access.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: