Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage
Google Chrome ships a default, hidden extension that allows code on *.google.com access to private APIs, including your current CPU usage
It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage You can test it out by pasting the following into your Chrome DevTools console on any Google page: chrome.runtime.sendMessage( "nkeimho...
You're viewing a single thread.
Uhh do we know if this extends to sites.google.com?
You can check this yourself. Just paste this into the developer console:
chrome.runtime.sendMessage( "nkeimhogjdpnpccoofpliimaahmaaome", { method: "cpu.getInfo" }, (response) => { console.log(JSON.stringify(response, null, 2)); }, );If you get a return like this, it means that the site has special access to these private, undocumented APIs
{ "value": { "archName": "arm64", "features": [], "modelName": "Apple M2 Max", "numOfProcessors": 12, "processors": [ { "usage": { "idle": 26890137, "kernel": 5271531, "total": 42525857, "user": 10364189 } }, ...Not an area I'm familiar with, but this user says no:
https://news.ycombinator.com/item?id=40918052
lashkari 5 hours ago | prev | next [โ]
If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?
DownrightNifty 5 hours ago | parent | next [โ]
JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.