Chrome access all your computer files



  • Here, it seems Google's spyware now is scanning files on your computer:

    https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-files-on-your-windows-computer-chrome-cleanup-tool

    The article tries to downplay this but I find this deeply concerning. A browser has no business in scanning my hard drive.


  • Vivaldi Translator

    "Chrome can access all your computer files"

    Chromium has always been able to read your local files.
    When Avira Scout was in beta I reported that I could see all my recently accessed files and folders from using the OS, in the browser history.
    Same as you would see in the IE history.

    I suggested that they treat it as a privacy problem if the history is being sent to google.
    They agreed and culled it.

    Having said that, I understand why google have made a tool to look for bad extensions and plugins etc.
    This follows their model on Android with the new Play store feature that will scan your phone looking for bad apps.
    This however is optional in phones, just as it should be.

    Google Chrome has always been about hiding things from the user, at almost every level.
    It was installed secretly in most PCs with either java or flash updates (just like adware stuff always arrives)
    It was the first browser that did not notify the user there was a new update, and just does it anyway, even if you don't want it.
    It hid access to the real browser options and makes you dig 2 levels for the main options which contain nothing much.

    Real chrome browsers already send your local file accesses into the cloud via your history.
    If you are not logged into google it will avoid the risk of it being in your personal account history.



  • I would advocate for user choice, and not have this be on by default.

    At the end of the day, google chrome's big draw was that it made it easier to browse the web. Having all of these extra things on by default and silently active makes things easier for people to browse the web and if this does actually find malware and prevent it from harming users, then it's a net positive in terms of security.

    Of course, you have to trust google to make the right decisions (personally, I would not). I think the final quote in that article says it all, really:

    β€œFor almost all users, this seems really harmless, and for those who are extremely concerned about Google seeing some metadata, maybe they shouldn't be running Google's browser in the first place,” he said.



  • About trust, sorry to say, but Vivaldi installs, without asking, two components: update_notifier.exe (always running) and chrmstp.exe (runs at logon):

    0_1522861962454_vivaldi.png


  • Moderator

    @stilgarwolf said in Chrome access all your computer files:

    chrmstp.exe

    This is not "without asking." Both merely enable a feature of Vivaldi which is to check with Vivaldi update servers to see if there is a new version, and let you know. To not install them would mean that the only way you would ever know of an update is to manually check the update servers yourself, or read the blog every day.

    It is not honest to label these as though they are somehow stealthy and suspicious installs.



  • @terere said in Chrome access all your computer files:

    Here, it seems Google's spyware now is scanning files on your computer:

    https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-files-on-your-windows-computer-chrome-cleanup-tool

    The article tries to downplay this but I find this deeply concerning. A browser has no business in scanning my hard drive.

    I totally agree with you. Such behavior by a browser goes way too far. And on top of it all: no way to disable it.

    I'm seriously hoping that this won't be pushed to Chromium as then I would see no other option but to say goodbye to the one Chromium-based browser that I am using to write these lines: Vivaldi.
    It'd be a true pity, but I wouldn't give up principles for it.
    Finger's crossed.

    /Edit: rewording



  • @ayespy said in Chrome access all your computer files:

    @stilgarwolf said in Chrome access all your computer files:

    chrmstp.exe

    This is not "without asking."...
    It is not honest to label these as though they are somehow stealthy and suspicious installs.

    This IS "without asking". And they sure are stealthy installs.

    This is "with asking":
    0_1522867269481_firefox.png


  • Moderator

    @stilgarwolf Yeah. Not really. Vivaldi has a function. It's not a secret or background function, but rather an "in your face" function. It is to check and let you know if there are updates, which you may then choose to install or not, at your pleasure. You can even turn the function off in the settings. It is completely transparent. People who turn it off have gone as much as a year, unknowingly, with no updates and no knowledge that one exists.

    There are two files that make this function possible. If these are "stealth" installs, then so is every single file of the browser structure, because the installer doesn't stop and name every file and ask your permission to install it.

    Firefox, in your example, is asking permission to update "silently in the background." of course you would ask permission for this. It's silently, in the background. Vivaldi's entire update process, however, is completely under your control. So far as I know, there are no plans to ever even offer the option to accept silent updates.

    You are making scary goblins out of a normal, routine, function of the browser. There's a term for this in the internet commenting world. It's called FUD. I advise against it.



  • @ayespy
    It's not about silent updates, nor about installing browser's components, but about silent installing background services.


  • Moderator

    If you are concerned about installing such services, please report it to the bugtracker.
    Please read How to Report a bug for Vivaldi carefully and then report the bug to Vivaldi bugtracker.

    I will contact our security team when the bug is reported.



  • @gwen-dragon
    Done: VB-39179


  • Vivaldi Translator

    The Vivaldi update tool sits in plain view and always asks you if you want to update.
    I agree that the installation of the update tool should have been more obvious and clear, but at no point is it kept a secret.
    In my opinion it should be something we can enable/disable from within Vivaldi.

    The google updater sits in the background quietly eating large chunks of ram and CPU time.
    It never notifies you of an update or shows it is updating.

    The Firefox updater may or may not have downloaded an update at the point it notifies you of an update.
    You can't tell unless you open the "About" panel, at which point it will fetch the download if it has not already.

    None of these are ideal.


  • Moderator

    @dr-flay said in Chrome access all your computer files:

    In my opinion it should be something we can enable/disable from within Vivaldi.

    It is something you can enable/disable from within Vivaldi.

    Settings -> Updates -> Notify about updates.

    Untick and it will be deleted from autorun. By default it's enabled.


    @rogerwilco said in Chrome access all your computer files:

    I'm seriously hoping that this won't be pushed to Chromium

    Probably won't, it uses ESET and so it's copyrighted. To end up in Chromium it would need to be open-source.



  • @an_dz said in Chrome access all your computer files:

    Settings -> Updates -> Notify about updates.

    Untick and it will be deleted from autorun. By default it's enabled.

    It's true for updater, but not for chrmstp.exe.


  • Moderator

    @stilgarwolf Here I don't have this file, I guess it's because you installed it in Program Files so it requires UAC elevation.


  • Moderator

    @stilgarwolf Myself and some other testers likewise did not have the chrmstp.exe on our systems. The only way I was able to create it was to install for "all users" in C:\Program Files. So I assume An_dz must be on to something. It's probably necessary to elevate UAC permissions.



  • @an_dz said in Chrome access all your computer files:
    [...]

    @rogerwilco said in Chrome access all your computer files:

    I'm seriously hoping that this won't be pushed to Chromium

    Probably won't, it uses ESET and so it's copyrighted. To end up in Chromium it would need to be open-source.

    Thanks for reminding me of the ESET fact. (no irony)
    Let's hope that no such functions will be built into it, even if GPL etc. license.

    Semi off-topic but as it had benn brought up a few posts earlier on this thread: an auto-updater that only takes care of the one program that it is supposed to keep up-to-date, which is optional to be run automatically falls into an entirely different category to me.
    Sure, I'd also prefer Vivaldi to be available through one of the main/default/renowned PPA (repositories) on Linux but that's not a deal breaker to me yet either.

    Anyhow, thanks again for the clarification regarding the file scanning (by ESET).


  • Moderator

    @rogerwilco said in Chrome access all your computer files:

    Sure, I'd also prefer Vivaldi to be available through one of the main/default/renowned PPA (repositories) on Linux but that's not a deal breaker to me yet either.

    At least on Arch it's available through the herecura.eu repo, the maintainer is a Soprano and an Arch trusted user who maintains some of the stuff at community.


  • Vivaldi Ambassador

    @terere
    It is said that it runs only runs with the installed account privileges.
    If you're running as admin, it will have the capability to read the entire filesystem. If you're running a user account, it will scan the users files... Then it will ask the user if it is OK to remove any suspicious files. I aslo think there is a toggle to turn off sending info to the big G.
    At least that's the way G explains it.
    Not sure I like it especially since I have already have a good Anti-Virus (among other security products).



  • @stilgarwolf said in Chrome access all your computer files:

    This is "with asking":
    0_1522867269481_firefox.png

    This installs an actual automatic update service that runs with root access to your system and is able to actually stealthily change its behavior.
    I.e. an actual trojan horse.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.