Attempted background request to accounts.9oo91e.qjz9zk/ListAccounts

[tonowoe]

What is chromium actually trying to do when these "trk" and "qjz9zk" requests are blocked? I have had these "request blocked" notifications couple of times e.g. when surfing on some random Wikipedia pages. Why is it trying to create a connection? What data does it (try to) send/receive? Should we be worried about this?

[9Morello]

tl;dr no, you shouldn't be worried.
The connections to the "9oo91e.qjz9zk" domain are actually blocked connection attempts to Google servers. ungoogled-chromium uses domain-substitution to remove any Google domain from the source code, and replaces it with a "9oo91e.qjz9zk" domain. The warnings you're seeing are to warn you that something happened and it triggered a Google connection attempt.

From the readme:

• (Iridium Browser feature change) Prevent URLs with the trk: scheme from connecting to the Internet
  • Also prevents any URLs with the top-level domain qjz9zk (as used in domain substitution) from attempting a connection.

If you can replicate it, please post the instructions so we can investigate what triggers it.

[tonowoe]

Does the notification come to the tab (under the URL bar) where the connection was made? For example, does it mean that if I have two tabs, YouTube and Wikipedia, and the Wikipedia tab is active/opened and then I get a notification in my Wikipedia tab that there was attempted request to https://accounts.9oo91e.qj9zk, that there was something in the Wikipedia page itself which triggered the connection attempt to Google? Or does the notification come by default for the active tab, despite what tab triggered it?

I tried to replicate it, but I couldn't. I was logged in my Google Accounts and I had two tabs; YouTube and Wikipedia, and Wikipedia opened. Maybe my YouTube page was trying to connect to Google Accounts in the background, don't know. I can't get the notification even if I try to "trigger" it by loggin in and out from Google Accounts, and browsing videos in YouTube and doing Google searches and stuff.

Here is a screenshot from the notification what I've had couple of times now.

[Eloston]

Does the notification come to the tab (under the URL bar) where the connection was made? Or does the notification come by default for the active tab, despite what tab triggered it?

That's a good question. I haven't dug very deep into how infobars are displayed, so I don't know the answer to that.

I was logged in my Google Accounts

How are you logging into Google? Are you going purely through the web (e.g. going to google.com and clicking the sign-in button)? Or is there some interface in Chromium you're using?

[tonowoe]

Yea, purely through web, clicking sign-in button in google.com (https://accounts.google.com/ServiceLogin). I have installed these extensions: HTTPS Everywhere, uBlock Origin and uMatrix.

[9Morello]

Are you seeing any connections right when you open your browser?

[Eloston]

What platform are you using?

[tonowoe]

Are you seeing any connections right when you open your browser?

Connections, you mean notifications? No, I don't. Only notification I get when I open up my browser is:

You are using an unsupported command-line flag: --no-sandbox. Stability and security will suffer.

If you don't mean notifications; should I monitor my traffic when I open up my browser to spot some weird/Google connections?

What platform are you using?

Amd64 Debian Jessie & Chromium_53.0.2785.143-1_amd64

[9Morello]

If you don't mean notifications; should I monitor my traffic when I open up my browser to spot some weird/Google connections?

No need to. If it tries to connect to Google, it will show a notification. I should have said notifications.
If you want to monitor your traffic, remember you'll see ungoogled-chromium connecting to some IPs to update the uBO/uMatrix lists when you open the browser, and thats it.

[Eloston]

@tonowoe Do you have the same issue when you try to sign-in using incognito?

[tonowoe]

No I don't. I can't replicate it in the incognito mode either.

[Eloston]

Well it's unfortunate you're not able to replicate it. I'm not sure what you did to trigger it, but I've never seen it happen before and I can't replicate it right now. I don't see any changes between 116 and 143 that change the sign-in code.

However it's a good thing you kept a record of the URL it tried to connect to. I haven't dug very deep into the source code yet, but here's what I found out so far:

• google_apis/gaia/gaia_urls.cc: The URL is probably constructed with the constants in here.
• Here's a list of some files that may or may not be involved with this:
• ./components/browser_sync/browser/profile_sync_service.cc
• ./components/signin/core/browser/account_reconcilor.cc
• ./components/signin/core/browser/account_investigator.cc
• ./components/signin/core/browser/gaia_cookie_manager_service.cc
• ./google_apis/gaia/gaia_auth_fetcher.cc
• ./google_apis/gaia/gaia_auth_util.cc
• ./chrome/browser/ui/webui/signin_internals_ui.cc

The objective is to find the code (that may not be in any of these files) that is making the request to this URL. Then the next objective is to see what triggers the function to make the request.

For future reference, here's the URL shown in the screenshot: https://accounts.9oo91e.qjz9zk/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard

[Eloston]

Just to confirm @tonowoe, did you build Chromium with all of the GYP flags, all of the patches, and source cleaning? (i.e. did you build without modifying buildlib or the files in resources/?)

[tonowoe]

Yea, didn't edit those.

[tonowoe]

Now I got a new notification:

Blocked attempted request to: http://www.95tat1c.qjz9zk/generate_204

Immediately after opening https://translate.google.com. I was logged in in Google (through web).

What I'm wondering is that, is this normal behavior? Do you guys too get these notifications regularly?

[9Morello]

I don't use any of Google's services. Unfortunately I cannot test it.
I haven't gotten any requests through navigation alone, only by clicking specific elements of the UI.

[Eloston]

I wouldn't think that someone that is interested in this project would want to use Google services to the extent that you are, so I've never tested these kind of cases. But even if this doesn't fit a normal use-case, it means that there is still some special treatment despite our patching efforts (although it fails at communicating with Google over HTTP/HTTPS with a domain name in the source code). This is a problem since we don't know the extent of the special treatment (yet).

Regarding your new error, I might split it off into a new issue report if these two issues are not related. But for now, I can't reproduce your new error; I went to translate.google.com, clicked "Sign-In", signed-in, and then it redirected me back to translate.google.com without any infobar. What exactly did you do to get the infobar?

[tonowoe]

I really don't use Google account or their services that much, I use YouTube and Google Translate. Although I'm logged in when I do other surfing, but I don't use any other Google services other than those, or use Google accounts for anything else.

I can't replicate it either. It just comes randomly without any repeatability. I logged in normally through web by clicking Sign-In in google.com, then I did some random surfing and after a while I went to translate.google.com and I got the notification. I tried to refresh the page, close the page and open it again, logging in and out and trying to replicate it, and trying replicating it in incognito mode etc, but without success.

[tonowoe]

Okay, so now I can replicate one notification:

1. Go to https://mcdonalds.fi/
2. Get notification Blocked attempted request to: http://www.95tat1c.qjz9zk/generate_204

This notification comes only with HTTPS connection. I'm not logged into Google, so it can be replicated in incognito mode too. This is what I see when I go to that page (due to the invalid certificate):

Your connection is not private

Attackers might be trying to steal your information from www.mcdonalds.fi (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Back to safetyHIDE ADVANCED
This server could not prove that it is www.mcdonalds.fi; its security certificate is from a248.e.akamai.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to www.mcdonalds.fi (unsafe)

[9Morello]

I'm not getting any notifications when visiting that page.
Are you managing your cookies? Do you currently have Google cookies stored in your browser?

[tonowoe]

That's weird. I'm not managing my cookies, I get it in the incognito mode too (fresh mode, no cookies/visits to other sites).

[Eloston]

I'm not getting anything here either. Your steps are probably indirectly triggering some code that is rarely executed. Hard to say without investigating the source code.

[tonowoe]

Oh guys, I'm sorry. The correct URL which triggers it is without www. So the correct URL is https://mcdonalds.fi

Do you now get the notification too?

[Eloston]

Nope

[tonowoe]

Hmm, that's strange. For me the notification comes up every time I refresh that (Privacy error) page, even in fresh incognito mode.

[9Morello]

No notification here too.

[tonowoe]

How about this one, can you replicate it?

1. Open a new tab (e.g. google.com)
2. Open Task Manager (Shift + Esc)
3. Highlight the tab which you just opened in step 1.
4. Click the "End process" button
5. Aw, Snap! page will be shown: "Aw, Snap! Something went wrong while displaying this webpage. Learn more Send feedback"
6. Click the "Learn more" link
7. Get notification Blocked attempted request to: https://support.9oo91e.qjz9zk/chrome/?p=e_awsnap_rl

[Eloston]

That's not related to this issue because that's not a background request to Google. The link is broken due to domain substitution.

[tonowoe]

Oh I see.

[Eloston]

Okay, so I just got this infobar too; identical to what @tonowoe reported already. I was not doing anything out of the ordinary, so I don't know how to reproduce this.

I can say with high certainty that this is some bug that affects all platforms, but triggers only in very specific circumstances.

EDIT: I have been keeping my session open, and it seems that this infobar occasionally pops up on GitHub only.