CEF - Google Update - Data Leak - GDPR

Bugs and Feature Requests
1

Hello everyone,

Thanks to my firewall, I was able to make a very disturbing discovery.

When you create applications using Chromium (CEF), your application sends data to Google’s servers (at the URL update.googleapis.com). The request includes computer information (OS, Version) and other non-understandable data (see example request).

In the context of respecting the privacy of my end users as well as complying with the GDPR, using this component is risky and exposes you to legal action in EU countries.

Is it possible to disable this spyware?

Example query extracted via WireShark utility :

POST /service/update2/json?cup2key=11:tre3r54BdQPBJVRmP77LhLTUDuZMZgGkXAB9eU0D3uk&cup2hreq=6c0ecaa2b82153b3d82f1680bbe5147f601d93760e8062dd30a8716bfbc49f8a HTTP/1.1
Host: update.googleapis.com
Connection: keep-alive
Content-Length: 923
X-Goog-Update-AppId: oimompecagnajdejgnnjijobebaeigek
X-Goog-Update-Interactivity: bg
X-Goog-Update-Updater: chromium-101.0.4951.67
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Accept-Encoding: gzip, deflate

--
CONTENT POST
--

{
	"request": {
		"@os": "win",
		"@updater": "chromium",
		"acceptformat": "crx3",
		"app": [
			{
				"appid": "oimompecagnajdejgnnjijobebaeigek",
				"cohort": "1:1bk9:",
				"cohorthint": "4.10.2557.0 for Chrome 95+",
				"cohortname": "4.10.2557.0 for Chrome 95+",
				"enabled": true,
				"packages": {
					"package": [
						{
							"fp": "1.b880ccaf1ce7fd85e6fe7b6846d54de8cc0ea2afd9865cdb444fb4c6db124d9d"
						}
					]
				},
				"ping": {
					"ping_freshness": "{29069e9c-428a-40b1-a7c4-a1e8aae0a6e8}",
					"rd": 6031
				},
				"updatecheck": {},
				"version": "4.10.2557.0"
			}
		],
		"arch": "x64",
		"dedup": "cr",
		"domainjoined": false,
		"hw": {
			"avx": true,
			"physmemory": 32,
			"sse": true,
			"sse2": true,
			"sse3": true,
			"sse41": true,
			"sse42": true,
			"ssse3": true
		},
		"ismachine": false,
		"lang": "fr",
		"nacl_arch": "x86-64",
		"os": {
			"arch": "x86_64",
			"platform": "Windows",
			"version": "10.0.19045.3086"
		},
		"prodversion": "101.0.4951.67",
		"protocol": "3.1",
		"requestid": "{fb5ac651-f839-4524-8430-8b734fddf563}",
		"sessionid": "{30aa909d-87ac-4363-ac5f-f8fee9bc990f}",
		"updaterversion": "101.0.4951.67"
	}
}
2

See also
https://magpcss.org/ceforum/viewtopic.php?f=10&t=18741

You may want to make a feature request to disable these requests in Xojo.

3

While I agree that the Xojo CEF component should not be checking for updates (since it can’t update the component itself anyway) the information that it sends along are simply the things it needs to determine if an update would be necessary on the machine and what latest version of chromium would run on the machine. There’s nothing in that data that uniquely identifies one particular machine over another for instance and they (Google) certainly could not pick you out among similarly configured machines.

2 Likes
4

While I agree, there are plenty of environments where attempting to send any kind of information out at all which is not expressly allowed (especially to companies like Google) is forbidden. It should be fixed.

5 Likes
5

Widevine DRM demands your “video player” to download a very specific module signed to your platform. In the case of Windows, it will be the file widevinecdm.dll and for unix like libwidevinecdm.so that the host will save in a proper place and register it (load the decoding capabilities). If you use Netflix, your “player” does that, many apps in most machines are doing it right now in the entire Europe… one example of a package being downloaded after the player sending the proper request from a AMD 64 extended x86 CPU from a Linux host using the Widevine engine 4.10.2557.0, is https://dl.google.com/widevine-cdm/4.10.2557.0-linux-x64.zip

If Europe is going to get in trouble with it, the video streaming market in Europe will be in trouble.

That said, not sure if some Xojo user plays protected video content, probably 99% not, and hardly someone will be affected, but disabling it is simple as including an optional argument to the compiler call.

6

In a fast inspection in my machine here, I found that Microsoft Teams, Microsoft Edge, Firefox, Spotify, the software of my Wacom tablet are using it. :smile: