Comment by htrp
6 months ago
> So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.
So I guess the question becomes how quickly you can spoof this ?
Wouldn't you be able to deploy an app script website, which is hosted on "script.google.com" and make use of this?
your code do not run from that domain at all.
it does if I hack your dns server :)
1 reply →
Does Chrome do certificate pinning checking in this case?
No it does not. Firefox does by default. But then again, you would need the user to install your cert. Good luck with that
If you mean can another domain trick Chrome into letting it access those APIs… probably not; it seems it’s based on the browser extension architecture which is already somewhat hardened and I believe doesn’t even load the code for the extension if you’re not on a matching domain (though the typical protection goes the other way around — preventing extensions from accessing website data without permission).
It seems bad enough that Google has access to it to justify ripping it out.
You just need to "register" a subdomain. So basically any google employee has potentially full access to your system?
You’re likely severely underestimating the amount of internal paperwork and review that is required to launch a new google.com subdomain.
I did one on my local network and didn't fill out anything
10 replies →
Maybe they don't need a new subdomain, something unused could do the trick.
Probably a 'something.google.com'...
But you could have teams with DNS zone delegation who can.create.anything.like.this.google.com
Or anyone who controls your DNS resolution which has a number of paths (for example a local hosts file, possibly a router, changing your config or how you get your config to a malicious DNS server, etc)
Won’t work with https.
If that malicious actor can install a custom ca too, they can already install whatever spyware they want.
Not that easy with HSTS.
Also need a cert which is tricky
or public wifi access point
You'd probably need DNS and Root Certificates, something to which most employers have access
In what world does "system / tab CPU usage, GPU usage, and memory usage" mean "full access to the system"? Any Chrome extension can access this info easily, the point that the tweet makes is that there's a built-in Chrome extension that shares this info with Google's own websites without any confirmation.
What about anything on sites.google.com?
Is it really that easy? I just kind of assumed that devs could create subdomains under a dev TLD like googdev123.com, but not google.com until it was a fully-fledged product release.
Nothing at Google is that easy. It is a large and slow-moving bureaucracy.
2 replies →
> full access to your system
Only to leak your CPU/GPU utilization though as far as I understand it. Those can also be exposed in other ways by legitimate JS/WebGPU by measuring/profiling shader runs/etc.
Drive.google.com links also work
If you could spoof google.com you have much bigger fish to fry.
Pretty much impossible, would need to defeat https/ct. You would have to spoof *.google.com within chrome.
So if you install your own certificate authority and then spoof the DNS it might be possible? Not so useful as an attack vector, but potentially useful for people who want to do fun things with the browsers they own.
You can just expose the data to all sites with your own extension if you have access to the device.
certificate pinning would prevent this for google related domains.
1 reply →
Don't have to spoof it - just put something on Google Docs and send people a link.
Google Docs is designed to not let you run arbitrary JS in a trusted (i.e. google.com origin) context, or else the author of any doc you visit could act as you on Google properties.