Menu
I am trying to build an extension that would notify a user when new version of Chrome is available.
I tried to inspect network traffic when Chrome is checking for an update and it is sending a request to http://74.125.95.113/service/update2?w=3:{long_encoded_string} page that returns XML with information I need:
<?xml version="1.0" encoding="UTF-8"?>
<gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod">
<daystart elapsed_seconds="31272"/>
<app appid="{8A69D345-D564-463C-AFF1-A69D9E530F96}" status="ok">
<updatecheck status="noupdate"/>
<ping status="ok"/>
</app>
</gupdate>
Besides sending {long_encoded_string} as URL parameter it is also sending some encoded cookie.
Maybe someone familiar with Chrome build process can shed some light on those encoded strings and how to build them? Maybe there is another easier way (I have a feeling that string encoding is a dead end for me)?
913
Google Chrome uses omaha to do updates to clients. The protocol is described here: http://omaha.googlecode.com/svn/wiki/cup.html. One thing you have to notice is that Google Chrome automatically downloads the update to your computer and then notifies (via icon on the tool menu). Unless you force check by opening the about dialog (in Windows).
As you have noticed, the Chrome GUID is {8A69D345-D564-463c-AFF1-A69D9E530F96}
The best way to see how Google Chrome is updating is to check the source code which is public. Google just ifdefs their version of Chrome in Chromium.
The base class where all the updates happen is in UpgradeDetector, it basically checks for an upgrade every 1 hour for the dev channel and once a day for all the other channels and builds (stable / beta). The Chromium way to do a scheduled events is through Tasks, in this case it is caleld a DetectUpgradeTask which checks for a specific BrowserDistribution::GetSpecificDistribution. There are many browser distributions, for Windows it is called GoogleChromeDistribution which is in charge to figure out what the version that needs to be update..
So why am I saying all this, Google Chrome is just querying registry settings and local files to figure out if a new update exists. The the UpgradeDetector just compares the distributions if they are the same. The implies that Omaha does the whole update mechanism. And the best part to figure out what omaha does is to look at their omaha update protocol.
From quickly glancing at the protocol, the approach your taking is the correct one, but you have to figure out the public key. In this case, the w, which differs for every request. You can read more about this in the "Protocol observations" in the omaha update protocol. It does this to do a securely check for download updates and they do this to protect the communication. They want the connection that checks for updates to be authentic and fresh so an attacker cannot replace or modify the message nor trick the client to upgrading a vulnerable version.
It isn't just a simple request to the server to do an update check. The Omaha client protocol provides an alternative to SSL for update checks and does client-server requests to see if its a valid connection. They are doing all this to protect the communication as explained before.
Unfortunately I don't think there is a "Chrome Extension" HTML'sh way to do this unless you implement that handshake yourself using NPAPI. Don't take my word for granted, I might be totally wrong :) Unless you can do the handshake all through XHR requests.
Since you want to check if Chrome has been updated and not installed, you have to verify that a new distribution has been downloaded as explained above in the code GoogleChromeDistribution which definitely requires NPAPI to read the registry.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
