Is Chromium Spying When Not in Use?

Convergence · 2015-04-13 06:11:12

I just learned of a tool called "nethog", installed it and watched to see what programs were generating traffic on my computer. One of them was chromium, which is funny because I wasn't using Chromium.

I've known for some time thanks to "top" that chromium runs when I'm not using it. I thought that it was annoying, and that it embedded itself into some autostart file, and was just taking up memory so that it would launch faster for when I actually opened it. However, I never suspected that it was generating network traffic when not in use.

I've since uninstalled Chromium, but I ran whois on one of the IPs that it was connecting to. It was Edgecast, a "Content delivery" service owned by Disney.

Is anyone else seeing this?

Last edited by Convergence (2015-04-13 06:22:56)

graysky · 2015-04-13 06:55:16

Was settings>advanced>continue running background apps enabled?

Convergence · 2015-04-13 06:57:20

It probably was, (since I never bothered to disable it). But that doesn't answer the question: why was it generating traffic?

Awebb · 2015-04-13 09:45:13

We will never know, because you don't have it anymore to do a forensic analysis.

LeonardK · 2015-04-13 12:16:22

There is an official comparison between Chromium and Chrome here.

As Chromium is kinda open source (in the literal sense) it should be not spying on you – I think that would be well-known in this case. But most people use Chromium in conjunction with a GAccount, so Chromium is all the time connected with the push servers from Google (Mail-Notifications etc). Also some extensions might run in background that use the internet (TextSecure for Browsers, Pushbullet, etc.).
Chromium nowadays is actually much more than a browser ^^ (I mean, it has parts of the Android Runtime built-in and stuff. Chromium and ChromiumOS share a large codebase etc.).

Convergence · 2015-04-15 15:48:46

So to be clear, other people are experiencing this, and are OK with the idea that Chromium is running, and communicating with websites when the browser is closed (and hasn't been opened in weeks across multiple boots)?

Sure it is open source, but it is also big, complex, and created by a company that is very interested in harvesting your data. I tend to think of Google as a benevolent giant, and I have a certain amount of faith in the open source process, but you could probably hide a small city in chromium's source code, or a vulnerability the size of the San Andreas fault.

Heh, maybe I'm paranoid, or maybe I am after all the only one that experienced this after all. But to be honest, programs running without my explicit permission, phoning home in ways that I could not easily control or understand were a large part of the reason that I left windows so many years ago.

edit: grammar

Last edited by Convergence (2015-04-15 17:25:39)

LeonardK · 2015-04-15 16:01:31

Convergence wrote:

So to be clear, other people are experiencing this, and are OK with the idea that Chromium is running, and communicating with websites when the browser is closed (and hasn't been opened in weeks across multiple boots)?
Sure it is open source, but it is also big, complex, and created by a company that is very interested in harvesting your data. I tend to think of Google as a benevolent giant, and I have a certain amount of faith in the open source process, but you could probably hide a small city in chromium's source code, or an vulnerability the size of the San Andreas fault.
Heh, maybe I'm paranoid, or maybe I am after all the only one that experienced this after all. But to be honest, programs running without my explicit permission, phoning home in ways that I could not easily control or understand were a large part of the reason that I left windows so many years ago.

Actually it does have your permission and it *can* be useful. You can just deactivate it with unticking "run in background". I like it as I'm sometimes too lazy to open up another mail program and thus just fire up GMail and get notified of it – even when not running in foreground.

So yeah, there's a not-spying reason for it but we can't really know whether this is the only reason ^^.

Awebb · 2015-04-15 16:07:35

Once more: Install it, reproduce the behavior and give us logs and outputs, then we can try and see what's going on. Chances are you used a website's feature and didn't notice. What we will not accept is blurry FUD about software spying on us. We already have enough threats to worry about.

Convergence · 2015-04-15 16:32:38

@LeonardK: I didn't say that it was running without my permission. I said that it was running without my explicit permission. There is a very important difference. If buried in the fine print, or an options menu, something is by default ticked that enables a program to run in the background without my knowledge, that is not the same thing as "I am now with full knowledge and consent giving you permission to run on my computer at this very moment. "

@Awebb: I just did this. I don't know exactly what I'm doing, I've never run a packet sniffer before. I executed this command:

tcpdump -w /root/tcpdump.001

By the way, this has just gotten a lot more urgent for me. I've watched the process in nethogs for a few minutes, did some things in firefox, and noticed that Chromium was silent unless I log into an account in firefox. Let me be clear, I am not actively using chromium at at all. It is running in the background without my express/explicit permission, and is quiet unless I use firefox to log into my online accounts including my bank account. This behavior is highly suspicious to me.

Last edited by Convergence (2015-04-15 17:01:17)

Convergence · 2015-04-15 16:34:45

I am willing to post this file somewhere to be analyzed by someone that is more knowledgeable than me, however I'm also concerned about the privacy implications of posting this on the web. I'm not sure than any sensitive (or useful) information will be in this file.

Convergence · 2015-04-15 16:45:43

I know that time is valuable to all of you, so I'm not asking you to be available at a moment's notice to analyze this, but for me, there is a strong sense of urgency. I want to uninstall chromium again, and begin the process of re-securing all of my online accounts. If the command that I have run is inadequate, or not useful, please let me know so that I can begin this process. This is the kind of behavior that I would expect from a password stealing trojan.

If it's relevant, I DO have extensions for Chromium. They are:
https everywhere
proxy switchysharp
scriptsafe (disabled but still installed at the time)

I'm considering uninstalling these extensions 1 at a time to see which one might be causing the problem.

Last edited by Convergence (2015-04-15 17:28:18)

LeonardK · 2015-04-15 18:09:07

While this activity being definitely strange a trojan woudlnt make up a notceable amount of network that sticksout in a tcpdump – atleast not if "only" password sniffing.
Yes, Chromium doesnt have your explicit permission that's right. But we need to think about it that Chromium didn't became so big because it satisfied the needs of full transparency concerning this but because of speed and ease of use *for non-techies*.

I do see your concern and will run a tcp dump on mine too, and maybe we really are a bit naive – but I do think that Chromium is *rather* safe.

But if you were ti create a qt webkit based browser compatible with PPAPI and crx which has a sane config level (ie: more): I'ld certainly be using it :-)

nomorewindows · 2015-04-15 18:12:11

Opera is now using chromium backend, and if you don't let all the pages load fully, it has a tendency to stay in memory even after closing opera and logging out user.

Convergence · 2015-04-15 18:35:48

@LeonardK: Thanks! Nethogs is a useful tool to see if a program is generating any traffic at all. Instead of listing traffic by port or something, it lists executables that are generating traffic. That's what got this started.

It does occur to me that this might not be a problem with Chromium at all. Maybe some file that I downloaded attached itself to my Chromium executable, or maybe it was one of the seemingly harmless extensions that I used. A LONG Long time ago, someone I knew did some nefarious things (stupid teenage script-kiddy) by attaching a malicious payload to another executable (that was desirable to his victim). Maybe something like this happened to me. Maybe your results will tell.

Convergence · 2015-04-15 18:37:16

@nomorewindows: That's probably not the case here, as I don't use Opera.

Convergence · 2015-04-15 18:59:34

These are the IP addresses that I managed to identify as suspicious. Maybe this will help filter results:

72.21.91.29
209.63.234.59
23.49.139.27
72.167.18.239

In my haste, I was careless, and didn't catch all of the suspicious IP addresses.

Last edited by Convergence (2015-04-15 19:04:03)

Awebb · 2015-04-15 19:02:44

Yay! Let's get to the bottom of this. Could you please make sure you use a fresh profile with nothing inside? I have "/profile"-ed the thread, didn't find it yet. Simply kill all processes around chromium, and move the profile folder to another place, so chromium will start afresh. If it still happens, then we have different problem, probably unrelated to chromium itself.

Convergence · 2015-04-15 19:10:35

@Awebb: I'm not sure I understand. Are you asking me to 1) reinstall chromium 2) killall chromium [and anything chrome related] 3) ~/.config/chromium 4) start chromium and see if the suspicious behavior continues? Maybe creating a new Linux user with a fresh home dir would be cleaner?

Awebb · 2015-04-15 19:13:53

Yes, this is exactly what I am asking for. Creating a new user is a good idea as well. I'd remove the config first, if it's gone after that, your profile might be tainted, if not, it might be the user. Also make sure to remove all other folders chromium uses (I'm not sure where the cache is, you might try some find command for chromium on your home folder.

LeonardK · 2015-04-15 20:12:14

So, my tcpdump is rather harmless, that is, it does what I expect it to do connect with my router and some services I *want* sync with.

To your IPs. The first and 3rd IP when accessed return just a file with "0" as content. Quit strange. #4 gives "403 - Forbidden" and #2 is from becu.org (boeing employees creit union) – but there's a big banner concerning fraud.

A bit strange – especially as I do not experience that.
I'm using quite a bunch of extensions:
TextSecure
Https everywhere
Opt-Out extensions from google
Mitro
Pushbullet
Steam Database
TextEditor
uBlock

I think the best thing for now is to do what Awebb described.

Convergence · 2015-04-15 20:27:48

Done. I'm now on my new user with a clean home dir. I think that Awebb's guess is a good one. The problem is probably not with the Chromium itself, but with something in my home dir, possibly with my .config/chromium directory. That home directory is very old (years), so it is likely at some point some malicious config or script found it's way in.

Obviously I need to change my online account passwords, but should I also re-install Arch? Also, There is a lot of valuable information in my home dir. I'm thinking I can just tar the whole thing up, and later extract anything I need (as I need it). Sound like a good plan?

ewaller · 2015-04-15 21:01:01

Have you run rkhunter? It gives a fair number of false positives, but it might be worth a spin. It is in community.

LeonardK · 2015-04-15 21:03:45

I think reinstalling sgould not be needed at all. Even using a new user shouldnt be needed if you just move everything in the old home dir into a subfolder and copy out everything you need.
There's not als .config but also .local you might want to have a look in.
Thanks to a clean directory structure this mostly is it. There's not much other space where stuff would hide.

Awebb · 2015-04-16 10:57:38

I'd wager you can fix this by deleting every chromium related folder, start with a fresh profile, turn the background service offline and be careful what sites you visit. Chrome is a modern web browser and modern web browsers have a tendency to offer "features" of all kinds.

On the other hand, after a couple of years it might be not a bad idea to clean up your home folder. You might want to take some time and inspect every folder and move it to the new user. You might not only clear up some space, but get rid of old configs and ancient (mal)practice in the process. I do this once a year, or rather did this until I learned how to use git to manage my configs and store my files not directly in home but rather bind mount external paths.

Arch Linux

#1 2015-04-13 06:11:12

Is Chromium Spying When Not in Use?

#2 2015-04-13 06:55:16

Re: Is Chromium Spying When Not in Use?

#3 2015-04-13 06:57:20

Re: Is Chromium Spying When Not in Use?

#4 2015-04-13 09:45:13

Re: Is Chromium Spying When Not in Use?

#5 2015-04-13 12:16:22

Re: Is Chromium Spying When Not in Use?

#6 2015-04-15 15:48:46

Re: Is Chromium Spying When Not in Use?

#7 2015-04-15 16:01:31

Re: Is Chromium Spying When Not in Use?

#8 2015-04-15 16:07:35

Re: Is Chromium Spying When Not in Use?

#9 2015-04-15 16:32:38

Re: Is Chromium Spying When Not in Use?

#10 2015-04-15 16:34:45

Re: Is Chromium Spying When Not in Use?

#11 2015-04-15 16:45:43

Re: Is Chromium Spying When Not in Use?

#12 2015-04-15 18:09:07

Re: Is Chromium Spying When Not in Use?

#13 2015-04-15 18:12:11

Re: Is Chromium Spying When Not in Use?

#14 2015-04-15 18:35:48

Re: Is Chromium Spying When Not in Use?

#15 2015-04-15 18:37:16

Re: Is Chromium Spying When Not in Use?

#16 2015-04-15 18:59:34

Re: Is Chromium Spying When Not in Use?

#17 2015-04-15 19:02:44

Re: Is Chromium Spying When Not in Use?

#18 2015-04-15 19:10:35

Re: Is Chromium Spying When Not in Use?

#19 2015-04-15 19:13:53

Re: Is Chromium Spying When Not in Use?

#20 2015-04-15 20:12:14

Re: Is Chromium Spying When Not in Use?

#21 2015-04-15 20:27:48

Re: Is Chromium Spying When Not in Use?

#22 2015-04-15 21:01:01

Re: Is Chromium Spying When Not in Use?

#23 2015-04-15 21:03:45

Re: Is Chromium Spying When Not in Use?

#24 2015-04-16 10:57:38

Re: Is Chromium Spying When Not in Use?

Board footer