xiaomao's blog


Гео и язык канала: не указан, не указан
Категория: не указана


随便发着玩的

Связанные каналы

Гео и язык канала
не указан, не указан
Категория
не указана
Статистика
Фильтр публикаций


Shocking! Google has reserved a private API in Chromium that allows Google websites to read more PC hardware information, such as CPU/GPU usage and log records.

Chromium is an open-source browser project led by Google. Google's Chrome browser, Microsoft's Edge browser, and browsers like Opera, Brave, and Vivaldi are all built on the Chromium project.

Recently, developer @lcasdev discovered something shocking while examining the Chromium source code: Google has reserved a private API that is only accessible to Google's main domain, *.google.com.

What is this API used for? With this API, Google websites can read CPU usage, GPU usage, memory usage, access CPU specifications, and provide logging.

Normally, websites can only obtain information about a user's PC through the UserAgent string, which typically provides details such as CPU architecture, operating system version, or screen resolution through other means.

However, the hardware information Google can obtain through this private API is much more detailed. Setting aside the privacy issues, the fact that this API is only available to Google domains violates the EU's latest Digital Markets Act (DMA).

For example, both Google Meet and Zoom provide video conferencing services. With the help of this private API, Google can optimize the performance of Google Meet on PCs as much as possible. In contrast, Zoom cannot access detailed CPU/GPU usage information, making its optimization efforts less effective. This gives Google an unfair competitive advantage using Chrome, putting Zoom at a disadvantage.

Further analysis revealed that this private API is implemented through a Chrome extension (ID: nkeimhogjdpnpccoofpliimaahmaaome), but users cannot disable this extension or find it on the extension management page, making it completely private to users.

It is noteworthy that at least two third-party browsers based on Chromium have already been found to include this extension. Apparently, these browser developers were unaware of this situation; otherwise, they would have removed this extension during development.

These two browsers are Microsoft Edge and Brave. It is likely that other browsers developed based on the Chromium project also include this extension, providing Google websites with more hardware information from users.

Given the issues of overreach, privacy concerns, and potential DMA violations, Google may respond in the near future. However, it is not yet clear whether Google will update Chrome to allow users to disable this extension.

This article is translated from https://ourl.co/104867








省流 如果你还在用 Via 请尽快卸载


Mulch
This is a security-oriented web browser based on Chromium. Many unwelcome features have been disabled and removed, and a few security features have been enabled, thanks to patches from the Vanadium project. The source code repository also includes pre-builds and makefiles for other operating systems to use Mulch as a system WebView.

Cromite
Cromite is a Chromium modification based on Bromite that supports ad blocking and privacy protection.

K-9 Mail
A full-featured email client

Orbot: Tor for Android
Orbot is a free proxy application that makes it safer for other applications to use the Internet. Orbot encrypts your Internet traffic using Tor, which hides the traffic by "bouncing" between a series of computers around the world. Tor is free software, and it represents an open network, which can help you protect against threats to personal freedom and privacy, confidential business activities and business relationships, and network surveillance in the form of so-called traffic analysis.

Termux
Terminal emulator with packages

Aurora Store
Unofficial FOSS client for Google Play with elegant design and privacy

NewPipe
Lightweight YouTube frontend

Barcode Scanner
An open source application that allows you to read and generate barcodes.

Binary Eye
A barcode scanner


Mulch
这是一个安全导向的基于 Chromium 强化的网络浏览器。由于 Vanadium 项目的补丁,许多不被欢迎的特性被禁用/删除,少数安全功能被启用/添加。源代码库还包括预构建和生成文件,以便其他操作系统将 Mulch 作为系统 WebView。

Cromite
Cromite 是基于 Bromite 的 Chromium 修改版,支持广告拦截和隐私保护。

K-9 邮件
功能齐全的电子邮件客户端

Orbot:Android 版 Tor
Orbot 是一款免费的代理应用程序,可以让其他应用程序更安全地使用互联网。Orbot 使用 Tor 来加密你的互联网流量,后者通过在世界各地的一系列计算机之间“跳跃”来隐藏流量。Tor 是一款自由软件,也代表一个开放的网络,它可以帮助您抵御威胁个人自由和隐私、机密商业活动和商业关系以及所谓流量分析形式的网络监视。

Termux
带有软件包的终端模拟器

Aurora Store
Google Play的非官方自由/开源软件客户端,拥有优雅的设计和隐私

NewPipe
轻量级 YouTube 前端

条码扫描器
一个开源应用程序,允许您读取和生成条形码。

Binary Eye
一个条码扫描器


Репост из: Apktool M
Apktool_M_v2.4.0-240623(2024062301).apk
13.4Мб
Новое в версии 240623:
- добавлена функция встраивания поставщика документов в файлы apk для доступа к данным приложения (скопирована из MT Manager);
- результат сравнения текстовых файлов можно сохранить;
- улучшено сравнение подписи двух apk;
- исправлено получение информации о приложениях без указанной версии;
- исправлено выделение открытых файлов в результатах поиска;
- исправлено открытие файлов в редакторе из результатов поиска, иногда выделение результата смещалось;
- исправление ошибок, улучшения;

Предыдущие изменения смотрите в истории версий.

VirusTotal ✅

@apktool_m


Репост из: 蓝点网订阅频道
#系统资讯 微软显然不喜欢你在 Windows 10/11 上使用本地账户,微软日前发布了一份支持文档指导用户如何从在线账户切换为本地账户,结果现在这份支持文档已经被删除。

现在在 Windows 11 里用户必须登录账户否则无法完成 OOBE 设置,除非用户知道如何通过命令行绕过登录。

查看全文:https://ourl.co/104618

👉 订阅频道:蓝点网订阅
👉 开搜AI智能搜索直达结果
👉 全能播放器VidHub支持云盘


Репост из: 蓝点网订阅频道
#软件资讯 YouTube 视频编码问题再次导致 Firefox 无法正常播放,经过调查 Firefox 确认此问题是 YouTube VP9 出现错误的字节流导致而非 Firefox 问题。

为了解决这个问题 Firefox 将在本月底推出 127.0.2 版进行修复,到时候用户可以重新播放 YouTube 上的 1080p 视频。

查看全文:https://ourl.co/104620

👉 订阅频道:蓝点网订阅
👉 开搜AI智能搜索直达结果
👉 全能播放器VidHub支持云盘


gpt商店对所有用户开放了。相信如果你能体验gpt-4o就可以进入gpt商店




Twitter.com 会自动重定向到 X.com
Twitter.com 正式下岗


Репост из: Du Rove's Channel
🏅Telegram is the #1 most downloaded mobile app in China on Android, according to Google Play. Access to Telegram requires a VPN in China, but Chinese people are smart — they like Telegram and find a way to use it.

🇨🇳 Last week, China forced Apple to remove apps such as Telegram from its Chinese App Store. We haven’t seen any decrease in downloads coming from China — and I don’t think Telegram was the main target of this change.

🍎 It was a move against Apple itself: the Chinese authorities are forcing more of their citizens to switch from iPhones to Android smartphones produced by Chinese companies such as Xiaomi. Unlike iPhones, most Android phones allow sideloading apps outside app stores — such as the direct version of Telegram — so more users from China will migrate to Android.

Once again, Apple shot itself in the foot with its centralized “walled garden” app policies. As a result of this change, the iPhone market share in China will keep shrinking. Prioritizing profits over freedom for users is not a good long-term strategy👆


Репост из: LSPosed
在经过团队讨论后,LSPosed 项目组决定招募内部测试人员。该测试将采用内部部署方式进行,测试版本将仅通过内部渠道分发。

选定的内测人员应具有基本的操作能力,知道如何恢复变砖的设备,能向开发者提供日志。内测人员将无偿提供测试服务,并履行保密义务,严禁向他人分享任何测试软件包。请注意,内测人员无权访问软件的源代码。

软件测试完成后,根据测试结果和其他相关因素,项目组将决定是否恢复对外发布,并考虑将软件开源或部分开源。

内部测试版本将通过一个私有的 Telegram 群组进行分发。希望参与测试的用户需提交申请,并提供其 GitHub ID 以供审核。审核通过后,用户将被授权加入该群组。

具体的申请入群方式将在后续公布。


After team discussions, LSPosed project group has decided to recruit internal testers. The testing will be conducted through internal deployment, and the test versions will only be distributed through internal channels.

Selected beta testers should possess basic operational skills, know how to recover a bricked device, and be able to provide logs to developers. Beta testers will provide their testing services voluntarily and are required to adhere to confidentiality obligations, strictly prohibiting the sharing of any test software packages with others. Please note that beta testers will not have access to the software's source code.

Upon completion of the software testing, depending on the results and other relevant factors, the project team will decide whether to resume public releases and consider open-sourcing the software entirely or partially.

The internal test versions will be distributed through a private Telegram group. Users wishing to participate in the testing must submit an application and provide their GitHub ID for review. Once approved, users will be authorized to join the group.

Details on how to apply to join the group will be announced later.


Репост из: Rosmontis's Daily🔆
Видео недоступно для предпросмотра
Смотреть в Telegram
⚠️⚠️⚠️⚠️警告⚠️⚠️⚠️⚠️

*Telegram大概于 UTC+8 2024年4月12日18:25,在服务端进行了修复,pyzw文件后会有untrusted的标记。

Telegram Desktop版本远程代码执行漏洞已被确认

危害程度极高,建议用户根据文章建议关闭自动下载功能


情况介绍

4月9日
一条视频宣称Telegram Desktop客户端有漏洞,能轻松实现远程代码执行恶意攻击

当日,Telegram 称无法确认 Desktop 版本远程代码执行漏洞


4月12日
笔者发现,Telegram Desktop Github库下一条PR中提到一个Bug,能通过某种方式发送pyzw格文件,Telegram会将其识别为视频文件,实现伪装视频效果,且客户端默认设置条件下,会自动下载文件,用户看到后常常会下意识点击执行,攻击生效。

前置条件: Telegram Desktop Windows


Репост из: 风向旗参考快讯
Telegram 表示无法确认所谓的 Desktop 版本远程代码执行 (RCE) 漏洞。这很可能是一个骗局。并表示:“任何人都可以报告我们应用中的潜在漏洞并获得奖励。”

—— Telegram




Репост из: exploit.org
SECURITY ALERT ⚠️

Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.

For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).

We are currently investigating this vulnerability.


❤️本频道有时会更换链接。以下是备用链接

主链接 https://t.me/SBIO000

备用1 https://t.me/+JCvIcnSLLD84Zjk1

备用2 https://t.me/+jIEK5xcMoVtlNjZl

Показано 20 последних публикаций.

5

подписчиков
Статистика канала