Comment by justo-rivera
6 months ago
You just need to "register" a subdomain. So basically any google employee has potentially full access to your system?
6 months ago
You just need to "register" a subdomain. So basically any google employee has potentially full access to your system?
You’re likely severely underestimating the amount of internal paperwork and review that is required to launch a new google.com subdomain.
I did one on my local network and didn't fill out anything
But only you have access to your local network.
6 replies →
is your local network google.com ?
2 replies →
Maybe they don't need a new subdomain, something unused could do the trick.
Probably a 'something.google.com'...
But you could have teams with DNS zone delegation who can.create.anything.like.this.google.com
Or anyone who controls your DNS resolution which has a number of paths (for example a local hosts file, possibly a router, changing your config or how you get your config to a malicious DNS server, etc)
Won’t work with https.
If that malicious actor can install a custom ca too, they can already install whatever spyware they want.
Not that easy with HSTS.
Also need a cert which is tricky
or public wifi access point
You'd probably need DNS and Root Certificates, something to which most employers have access
In what world does "system / tab CPU usage, GPU usage, and memory usage" mean "full access to the system"? Any Chrome extension can access this info easily, the point that the tweet makes is that there's a built-in Chrome extension that shares this info with Google's own websites without any confirmation.
What about anything on sites.google.com?
Is it really that easy? I just kind of assumed that devs could create subdomains under a dev TLD like googdev123.com, but not google.com until it was a fully-fledged product release.
Nothing at Google is that easy. It is a large and slow-moving bureaucracy.
Agree. I work at Google. I promise nothing happens quickly. It can take over a week to set up a new SQL database & client. Half coding (don't get me started on boq...) and half data integrity and criticality annotations for the data...
I don't know what setting up a new domain is like but I can't imagine it's something you "just do".
1 reply →
> full access to your system
Only to leak your CPU/GPU utilization though as far as I understand it. Those can also be exposed in other ways by legitimate JS/WebGPU by measuring/profiling shader runs/etc.
Drive.google.com links also work