Vivaldi downloads hidden "FLoC" data-gathering component, possibly new in 3.5 snapshot?
While investigating some other network issue I noticed the Windows BITS service making connections to Google servers on port 80.
svchost.exe 2116 TCP crapstation 50052 arn09s11-in-f174.1e100.net http ESTABLISHED 11 3 222 13 10 913 svchost.exe 2116 TCP crapstation 50053 cache.google.com http ESTABLISHED 11 4 710 13 9 794
Since it was plain http I had a look at what it was actually getting, and downloaded it. Turns out it was a small crx/extension component. Mostly empty but containing a manifest of:
"name": "Federated Learning of Cohorts"
I've included the full download headers on the bottom of this post.
Some articles on FLoC I found, they are not very comforting reading:
Given Vivaldi's view on Google monitoring of users I'm surprised they've let this pass.
I've been unable to reproduce this in a clean profile, but I don't think this is an extension, and I've tried disabling them all but the download still triggers. Maybe a setting, and I've tried to play around with the settings to reproduce in the clean but no luck so far. I suspect my install was "selected" for this data gathering experiment. So it might not even apply to every Vivaldi install.
Would very much like to get some insight from the team what this component is, and how to completely stop it from ever loading again.
If anyone's interested in examining the downloaded file, it's here:
It can be installed as an extension in Dev. mode.
Download headers log:
[30.10.2020 12:41:34:224] HEAD /edgedl/release2/chrome_component/ANbJyUvW8hIrXyVkxTt8TzA_1.0.4/AN3Jv7sK1aiaWtgNQAuBT8Y HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: redirector.gvt1.com [30.10.2020 12:41:34:239] HTTP/1.1 302 Found Date: Fri, 30 Oct 2020 11:41:33 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Location: http://r6---sn-uxaxovg-vnar.gvt1.com/edgedl/release2/chrome_component/ANbJyUvW8hIrXyVkxTt8TzA_1.0.4/AN3Jv7sK1aiaWtgNQAuBT8Y?cms_redirect=yes&mh=Ly&mip=188.8.131.52&mm=28&mn=sn-uxaxovg-vnar&ms=nvh&mt=1604057967&mv=m&mvi=6&pcm2cms=yes&pl=16&shardbypass=yes Content-Type: text/html; charset=UTF-8 Server: ClientMapServer Content-Length: 496 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN [30.10.2020 12:41:34:239] HEAD /edgedl/release2/chrome_component/ANbJyUvW8hIrXyVkxTt8TzA_1.0.4/AN3Jv7sK1aiaWtgNQAuBT8Y?cms_redirect=yes&mh=Ly&mip=184.108.40.206&mm=28&mn=sn-uxaxovg-vnar&ms=nvh&mt=1604057967&mv=m&mvi=6&pcm2cms=yes&pl=16&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: r6---sn-uxaxovg-vnar.gvt1.com [30.10.2020 12:41:34:239] HTTP/1.1 200 OK Accept-Ranges: bytes Content-Disposition: attachment Content-Length: 3937 Content-Security-Policy: default-src 'none' Content-Type: application/octet-stream Etag: "739219" Server: downloads Vary: * X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Date: Fri, 30 Oct 2020 05:01:16 GMT Alt-Svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Last-Modified: Mon, 05 Oct 2020 22:28:29 GMT Connection: keep-alive
Hadden89 last edited by Hadden89
@Pathduck Maybe there were risks to break the chromium sandbox or other functions. If is not useful maybe will be removed soon or un-googled at least.
For some reason the triggering of the BITS service also seems to start it sending hundreds of packets on port 4444 to my router (which for some reason listens on 4444). These are POST requests with an action of
According to IANA port 4444 is either KRB524 (Kerberos, tokens?) or "NV Video default" (No idea, can't be NVidia?).
However I suspect some uPNP thing from the router server header.
These are most likely not Vivaldi's fault, but definitely seems related to the triggering of BITS downloads.
[30.10.2020 14:40:49:897] POST /wcommifc HTTP/1.1 Cache-Control: no-cache Connection: Close Pragma: no-cache Content-Type: text/xml; charset="utf-8" User-Agent: Microsoft-Windows/10.0 UPnP/1.0 SOAPAction: "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1#GetTotalBytesSent" Content-Length: 309 Host: 192.168.0.1:4444 <?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetTotalBytesSent xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"/></SOAP-ENV:Body></SOAP-ENV:Envelope> [30.10.2020 14:40:49:929] HTTP/1.1 200 OK SERVER: ipOS/7.6 UPnP/1.0 ipUPnP/1.0 CONTENT-TYPE: text/xml EXT: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><u:GetTotalBytesSentResponse xmlns:u="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"><NewTotalBytesSent>1587503697</NewTotalBytesSent></u:GetTotalBytesSentResponse></soap:Body></soap:Envelope>
Priest72 last edited by
Is this present with linux also.?
barbudo2005 last edited by
FYI: gorhill 1 hour ago:
"I suppose we could add it to the "uBlock filters -- Privacy" for now, that's the purpose of the list, to create privacy-related filters optimized for uBO."
Block Floc checks in Chrome/uBO #1553
Priest72 last edited by
@barbudo2005 will the dawning of manifest v3 affect this as of course google will make it a priority for FLoC to be incorporated,
Just a thought.