Google Chrome has an API accesible only from *.google.com

The name hangout_services suggests this is some old tech debty hack intended to make developing Google Hangouts easier by giving that team a direct stream of telemetry. For those who have forgotten, Hangouts was the first app that did video calling in the browser using what became WebRTC. If you look at what this module is doing it&#x27;s exposing stuff like CPU&#x2F;GPU&#x2F;RAM usage&#x2F;hardware details back to the app that it wouldn&#x27;t normally have.<p>My guess is that Google will react to this Twitter thread by simply deleting it. Hangouts has been a dead product for a while; if their server side code still uses it they can surely remove it as presumably the Chrome team monitor WebRTC performance themselves in a multi-site way now, given the much wider usage.

I might be able to shed some light on this (disclaimer: Xoogler).<p>I worked for a time on Google&#x27;s internal videoconferencing platform, called GVC. This was in 2010-2011 at a time when a lot of the company&#x27;s VC equipment was proprietary, specifically Cisco Tandberg units. These were expensive and would be expensive to roll out to thousands of meeting rooms.<p>around this time a different team was developing Hangouts. It&#x27;s been awhile so my memory may be off but I think it was called Google Meet at the time? or maybe that was later? It&#x27;s hard to keep track. I think Hangouts was the name adopted when Google+ came along and rolled Hangouts into its product offering.<p>There were different configurations of GVC but the most common were these All-in-One (&quot;AIO&quot;) monitor&#x2F;computer combos. It was a full Intel PC. So the GVC platform was a custom Linux distro. The system was designed so GVCs could talk to Google services, which was nontrivial, and so software updates could be rolled out. It kept old distros too in case one didn&#x27;t boot. These GVCs had to be named and a whole bunch of other issues.<p>Additionally they needed support for various hardware like a touch panel to dial. Larger units required larger PTZ camera support and support for various microphones.<p>Anyway, Hangouts became the stack GVC was built on. This ultimately replaced virtually all Tandbergs and saved a fortune. This system was certainly still in use by 2017. I can&#x27;t speak for later.<p>Monitoring was a part of all this. So when I see there are *.google.com specific APIs, we need to be sure we&#x27;re talking about this accurately. Like can Google query any Chrome instance in the world? Or is it only from&#x2F;to google.com? I don&#x27;t know the answer and the Tweet doesn&#x27;t specify.<p>But given the name hangouts_services and the domain restriction I consider it highly likely this is purely to support monitoring embedded Chrome for GVC. I could be wrong.

Looks like they added this in October 2013: <a href="https:&#x2F;&#x2F;github.com&#x2F;chromium&#x2F;chromium&#x2F;commit&#x2F;422c736b82e7ee763c67109cde700db81ca7b443">https:&#x2F;&#x2F;github.com&#x2F;chromium&#x2F;chromium&#x2F;commit&#x2F;422c736b82e7ee76...</a><p><pre><code> Bundle Hangouts Services extension with Chrome BUG=291271 Review URL: https:&#x2F;&#x2F;codereview.chromium.org&#x2F;35873003 </code></pre> Here&#x27;s that review URL: <a href="https:&#x2F;&#x2F;codereview.chromium.org&#x2F;35873003" rel="nofollow">https:&#x2F;&#x2F;codereview.chromium.org&#x2F;35873003</a>

I&#x27;m not sure what these APIs are exactly and why they&#x27;re there, but Firefox also does something similar. It has special APIs available only to Mozilla and&#x2F;or Firefox domains, for things like installing extensions, or helping with first-run experience.<p>A blog post about it was shared here on Hacker news &lt;12 months ago, but I&#x27;m having trouble finding it...

Disclaimer: I work at Google, but not on Chrome or on these APIs.<p>I think the explanation is quite mundane. An example usage: open google meet, start an empty meeting (an “instant meeting”), click the “…” menu, click “troubleshooting and help”.<p>There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded during a meet call, too.<p>It’s very helpful, I check it from time to time.<p>Edit: now that I think about it, I’m not sure about the suggestion to close tabs is actually a thing. I’ve only actually used the stats view.

I think the submission is a bit wrong in editing the title from the original. I understood it like this:<p>Chrome has a built-in extension that uses public Chrome APIs that are easily available to other Chrome extensions. The issue described is that this extension shares this information to Google&#x27;s own domains when they&#x27;re communicating with the extension, while other websites can&#x27;t do this.<p>There&#x27;s no &quot;special hidden API&quot;.

Looks like this is accessing &quot;chrome.system.cpu&quot; API, which any extension can access (given the &quot;system.cpu&quot; permissions).<p><a href="https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;extensions&#x2F;reference&#x2F;api&#x2F;system&#x2F;cpu" rel="nofollow">https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;extensions&#x2F;reference&#x2F;api&#x2F;s...</a><p>You can see all the permissions requested by this extension here:<p><a href="https:&#x2F;&#x2F;source.chromium.org&#x2F;chromium&#x2F;chromium&#x2F;src&#x2F;+&#x2F;main:chrome&#x2F;browser&#x2F;resources&#x2F;hangout_services&#x2F;manifest_v3.json;l=23-31" rel="nofollow">https:&#x2F;&#x2F;source.chromium.org&#x2F;chromium&#x2F;chromium&#x2F;src&#x2F;+&#x2F;main:chr...</a>

Hardly surprising. This is very Google-like behavior. The question is do other Chromium browsers have this? Edge? Brave? Chromium? Ungoogled Chromium?

Safari also has some Apple specific features, like being able to show a special dialog for logging into other websites with your Apple account that works differently from passkeys or password autofill, or the redirect based flow they make other browsers go through.<p>Always wondered how it&#x27;s implemented in JS. WebAuthn with proprietary arguments...?

Google has done this sort of thing before. My memory is fuzzy as to the details, but I think it was Native Client being allowlisted at the domain level to only work on Hangouts, or something like that.

I briefly worked on Internet Explorer in ages past. They would develop APIs with the Windows team for use in IE to give IE special features that other browsers couldn&#x27;t implement.

So this is a lot like Microsoft using specialized formats or APIs in Windows that competitors cannot access, which was a problem throughout the 90s. The problem never went away - it has just changed appearance.

&gt; So, Google Chrome gives all *.google.com sites full access to system &#x2F; tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.<p>So I guess the question becomes how quickly you can spoof this ?

This kind of thing is common, there was a file called tweaks.cpp which had a list of domains that had slightly different behaviours.<p>That file was very telling to be honest and was well commenter. Firefox has a similar file.

You can build Chrome without this by setting `enable_hangout_services_extension` to false. Of course, then none of the WebRTC stuff on google.com will work.

Is it fair to assume this is used for fingerprinting&#x2F;tracking users?

I stopped using Chrome as my primary &amp; only browser. Too much power in one hand?

If you want to see what this does, navigate to <a href="https:&#x2F;&#x2F;www.google.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;</a> in Chrome and paste this into your DevTools console:<p><pre><code> chrome.runtime.sendMessage( &#x27;nkeimhogjdpnpccoofpliimaahmaaome&#x27;, { method: &#x27;cpu.getInfo&#x27; }, response =&gt; { console.log(&#x27;CPU Info:\n&#x27;, JSON.stringify(response, null, 2)); } ); </code></pre> I got this:<p><pre><code> { &quot;value&quot;: { &quot;archName&quot;: &quot;arm64&quot;, &quot;features&quot;: [], &quot;modelName&quot;: &quot;Apple M2 Max&quot;, &quot;numOfProcessors&quot;: 12, &quot;processors&quot;: [ { &quot;usage&quot;: { &quot;idle&quot;: 26879793, &quot;kernel&quot;: 5270058, &quot;total&quot;: 42511068, &quot;user&quot;: 10361217 } }, { &quot;usage&quot;: { &quot;idle&quot;: 27925505, &quot;kernel&quot;: 5045974, &quot;total&quot;: 42900999, &quot;user&quot;: 9929520 } }, { &quot;usage&quot;: { &quot;idle&quot;: 29153545, &quot;kernel&quot;: 4688719, &quot;total&quot;: 43152989, &quot;user&quot;: 9310725 } }, { &quot;usage&quot;: { &quot;idle&quot;: 30140852, &quot;kernel&quot;: 4360719, &quot;total&quot;: 43319960, &quot;user&quot;: 8818389 } }, { &quot;usage&quot;: { &quot;idle&quot;: 34426211, &quot;kernel&quot;: 2169516, &quot;total&quot;: 43433582, &quot;user&quot;: 6837855 } }, { &quot;usage&quot;: { &quot;idle&quot;: 38586206, &quot;kernel&quot;: 1338183, &quot;total&quot;: 43658789, &quot;user&quot;: 3734400 } }, { &quot;usage&quot;: { &quot;idle&quot;: 41067872, &quot;kernel&quot;: 598226, &quot;total&quot;: 43874597, &quot;user&quot;: 2208499 } }, { &quot;usage&quot;: { &quot;idle&quot;: 41795321, &quot;kernel&quot;: 412479, &quot;total&quot;: 43965499, &quot;user&quot;: 1757699 } }, { &quot;usage&quot;: { &quot;idle&quot;: 34484688, &quot;kernel&quot;: 2180147, &quot;total&quot;: 43500079, &quot;user&quot;: 6835244 } }, { &quot;usage&quot;: { &quot;idle&quot;: 38604714, &quot;kernel&quot;: 1340358, &quot;total&quot;: 43680869, &quot;user&quot;: 3735797 } }, { &quot;usage&quot;: { &quot;idle&quot;: 41086212, &quot;kernel&quot;: 599273, &quot;total&quot;: 43883401, &quot;user&quot;: 2197916 } }, { &quot;usage&quot;: { &quot;idle&quot;: 41802500, &quot;kernel&quot;: 411499, &quot;total&quot;: 43970596, &quot;user&quot;: 1756597 } } ], &quot;temperatures&quot;: [] } } </code></pre> This won&#x27;t work on non-Google URLs.

If it&#x27;s really accessible from *.google.com, wouldn&#x27;t this be simple to verify&#x2F;exploit by using Google Sites (they publish your site to sites.google.com&#x2F;view&#x2F;&lt;sitename&gt;)?

And this is why we should all boycott Chromium based browsers.<p>It&#x27;s turning (and mostly has already turned) into the new Internet Explorer.<p>Use Safari or Firefox, or any other browser that&#x27;s not based on Chromium.

Google spent billions muscling their way into their majority market share of web browsers, now they&#x27;re going to keep on cashing out with unfair practices like these.

If you’re still using Chrome in 2024, you’re a fool.

Last time I used Google Chrome, if you logged into a Google account while using Chrome, it automatically logged you into that Google account in the browser itself.<p>Isn&#x27;t that implemented in a similar way to this?<p>I agree with the concerns about unfair competition, and I think this auto-login &quot;feature&quot; could also qualify as an example.

Thread reader: <a href="https:&#x2F;&#x2F;twitter-thread.com&#x2F;t&#x2F;1810696257137959018" rel="nofollow">https:&#x2F;&#x2F;twitter-thread.com&#x2F;t&#x2F;1810696257137959018</a>

Isn&#x27;t Google chrome open source?<p>It should be possible to point to the source code of whatever google.com extensions that may exist.<p>Or is this only available in the packaged distributions of Chrome?

Is there more of an explanation? I see a baseless claim without any specificity.<p>I&#x27;m not saying it&#x27;s right&#x2F;wrong, just that no evidence was presented.

through this, at least it is now fairly well known that chrome is able to share detailed hardware details to a website.<p>now, is it bad that it is being done at all or that only google.com host requests can access it?<p>personally i see the value during debugging but having it forced enabled this way (also for only one company) is not great and should be remedied.

This API either shouldn’t exist or should be Google only. It would be an absolute disaster if everyone had access to it.

It&#x27;s like Google relishes in giving the FTC all the help it could ever want.

Google really needs to be broken up. Into 5 or 6 totally independent pieces.

I can hear the regulators in Strasbourg typing up complaints and fines now.

Wonder if Edge renames this to *.microsoft.com or bing.com.

I wonder how Chromium, Brave or Edge handle this?

Is this how they implement features like pinning a live game score in your phone from the browser? I always wondered how they do that.

And? Google uses Chrome to retrieve data about the user.<p>Every Chromium-based browser has &#x27;hidden&#x27; APIs only accessible on certain domains. That&#x27;s how the custom (read: closed source) extensions work. &quot;Component extensions&quot; are used to interact with them normally: <a href="https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;main&#x2F;extensions&#x2F;docs&#x2F;component_extensions.md" rel="nofollow">https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;main&#x2F;extens...</a><p>See <a href="https:&#x2F;&#x2F;blogs.opera.com&#x2F;security&#x2F;2021&#x2F;09&#x2F;8000-bug-bounty-highlight-xss-to-rce-in-the-opera-browser&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blogs.opera.com&#x2F;security&#x2F;2021&#x2F;09&#x2F;8000-bug-bounty-hig...</a> and <a href="https:&#x2F;&#x2F;blogs.opera.com&#x2F;security&#x2F;2021&#x2F;09&#x2F;bug-bounty-guest-post-local-file-read-via-stored-xss-in-the-opera-browser&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blogs.opera.com&#x2F;security&#x2F;2021&#x2F;09&#x2F;bug-bounty-guest-po...</a> for examples of when there are vulnerabilities in those extensions, and how they can be abused for remote code execution.<p>Any whitelisted domains for these APIs cannot be written to using user-installed extensions, in order for a malicious extension to not be able to inject a script and execute the special API.<p>At Opera, we previously tried attacking the underlying implementation about how these &#x27;hidden&#x27; APIs are accessible. Although we found a lot of Opera-specific issues, the Chromium logic seems sound and a &quot;bypass&quot; for other websites accessing the API is unlikely. It also seems that the developer here was just a bit overzealous in allowing this API to be accessed from all google.com subdomains.

Hm, I guess it&#x27;s good I have a firewall?

bot detection?

For anyone having trouble with the logic here, which seems like a lot of people in this thread for some reason:<p>[Google&#x27;s browser] comes with [code] that [does things] in a default installation of [Google&#x27;s browser] that [Google&#x27;s competitors] can&#x27;t do in a default installation of [Google&#x27;s browser].

People arguing that this is &quot;just extension&quot; are ignoring the fact that extensions have special priviledges compared to websites, and you would not want all websites to have the full power of arbitrary extension.<p>If it&#x27;s &quot;just extension&quot;, make it available to all domains.

This just in: Google Spyware has features accessible only to Google.

login-walled

What has an hidden API where? I have no idea what this is trying to say. Can anyone make sense of it?

That was one reason I don&#x27;t use Chrome. They clearly do special stuff on their sites. And spyware is guaranteed with chrome

So the concern is that Google is making Hangouts better in a way that is hard for competitors to replicate? (And by &quot;hard,&quot; I mean, &quot;competitors have to ask users to install something,&quot; not hard in any HN-relevant sense of the word.) This forum sure has a lot of wanna-be Handicapper Generals. <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Harrison_Bergeron" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Harrison_Bergeron</a>