Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
Just started a few days ago, about a week after I had updated chrome. I have checked the firewall rules, and the rule to block incoming connections is there, so why does it keep popping up every time I launch chrome for the first time after a bootup? Has this happened to anyone else?
 

elvisimprsntr

macrumors 65816
Jul 17, 2013
1,035
1,544
Florida

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
But why is is happening every time, despite the fact I have already hit deny and the rule is listed in my firewall rules?
 

colinwil

macrumors 6502
Nov 15, 2010
296
167
Reading, UK
You might read here for an explanation:


while those articles try to explain how to prevent the message from appearing, they don’t explain why Chrome is attempting to accept incoming network connections in the first place.
 

davidlv

macrumors 68020
Apr 5, 2009
2,291
874
Kyoto, Japan
then use an alternative browser. problem solved.
I had the same issue with Chromium, and a member of a site that provides updated Chromium builds posted this fix:

xattr -csr /Applications/Chromium.app. <---- this terminal code worked on my iMac

While that works for chromium.app, you will have to change the name in that command to suit your case, using Google Chrome (look in the Applications folder, and add the "period.app" to app name.
The member who helped me fix that issue also posted the link below, which may apply to Chrome as well (not sure about that).
# Fix issue where macOS requests permission for incoming network connections
# See https://github.com/ungoogled-software/ungoogled-chromium-macos/issues/17
At least we know this is a programming issue that can be solved when building an app. It sounds quite complex to me.
 

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
Alright, I shall try this fix. I just wonder what actually caused it to happen in the first place?
 

foliovision

macrumors regular
Jun 11, 2008
190
91
Bratislava
I don't want Opera, Brave or Chromium to accept incoming connections, only outgoing ones. How do we make that work?

All the answers so far are for sheep who just want to disable the notifications and allow unlimited incoming connections.
 
  • Like
Reactions: LarTeROn

davidlv

macrumors 68020
Apr 5, 2009
2,291
874
Kyoto, Japan
I don't want Opera, Brave or Chromium to accept incoming connections, only outgoing ones. How do we make that work?

All the answers so far are for sheep who just want to disable the notifications and allow unlimited incoming connections.
I really don't understand why you don't want the browser to accept incoming connections, only outgoing ones.
Aren't incoming connections necessary for the browser to function correctly? Can you explain your view in more detail?
Oh, by the way, you could be more careful with phrases like "for sheep", which can be taken in several ways.


In regard to another related aspect, I have found that The Eloston builds of Chromium, available here; (https://formulae.brew.sh/cask/chromium; click once on the orange-red "eloston-chromium" text, then double click the orange version number after the yellow "Current version:") will not pop up that annoying message about accepting incoming connections, while other builds will, despite having the settings in the Security & Privacy preference pane / Firewall settings being set correctly.
I have no proof, but I believe it depends on the build settings, or perhaps even the order of the args or settings used when compiling the binaries.
The Chromium builds available at https://softaro.net/ungoogled-chromium/ also seem free of that annoying pop up message about allowing incoming connections, and it has the latest version available today, unlike the Eloston site, shown above.
The previous "xattr -csr /Applications/Chromium.app" setting does not work in every case and every Chromium build I have tried (personal experience only), but I don't think it will hurt to try it. See Post #9 above for a link to that prior discussion.
 
Last edited:

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
I really don't understand why you don't want the browser to accept incoming connections, only outgoing ones.
Aren't incoming connections necessary for the browser to function correctly? Can you explain your view in more detail?
Oh, by the way, you could be more careful with phrases like "for sheep", which can be taken in several ways.


In regard to another related aspect, I have found that The Eloston builds of Chromium, available here; (https://formulae.brew.sh/cask/chromium; click once on the orange-red "eloston-chromium" text, then double click the orange version number after the yellow "Current version:") will not pop up that annoying message about accepting incoming connections, while other builds will, despite having the settings in the Security & Privacy preference pane / Firewall settings being set correctly.
I have no proof, but I believe it depends on the build settings, or perhaps even the order of the args or settings used when compiling the binaries.
The Chromium builds available at https://softaro.net/ungoogled-chromium/ also seem free of that annoying pop up message about allowing incoming connections, and it has the latest version available today, unlike the Eloston site, shown above.
The previous "xattr -csr /Applications/Chromium.app" setting does not work in every case and every Chromium build I have tried (personal experience only), but I don't think it will hurt to try it. See Post #9 above for a link to that prior discussion.
Maybe it's down to a misinterpretation of what incoming connections means? I have plenty of programs I use that require connections, and incoming ones are blocked on all of them. It was my understanding that, once my program makes the outgoing connection, the exchange of data in and out progresses as normal. An incoming one is when an exterior connection is made to my machine, and specifically the program mentioned, without it first initiating it, which should be a security concern.

Or does that notification happen regardless of whether connections are actually being made?
 
  • Like
Reactions: foliovision

davidlv

macrumors 68020
Apr 5, 2009
2,291
874
Kyoto, Japan
Maybe it's down to a misinterpretation of what incoming connections means? I have plenty of programs I use that require connections, and incoming ones are blocked on all of them. It was my understanding that, once my program makes the outgoing connection, the exchange of data in and out progresses as normal. An incoming one is when an exterior connection is made to my machine, and specifically the program mentioned, without it first initiating it, which should be a security concern.

Or does that notification happen regardless of whether connections are actually being made?
Look at the Security and Privacy system preference pane, then Firewall and Firewall Options.
By default, "Automatically allow downloaded signed software to receive incoming connections" is set to ON.
The issue here is Chromium is not officially "downloaded signed software", nor is it "built-in software" like Safari
So you have to have the option to "allow it to accept incoming connections".
I think you are somewhat 'overthinking' that "An incoming one is when an exterior connection is made to my machine, and specifically the program mentioned, without it first initiating it, which should be a security concern. If my understanding is correct, that is exactly why Apple issues signed certificates to software developers.
I do not know why Chromium doesn't get a signed certificate, nor do I know the process required to get one.
The point is that Chromium downloaded from the two sites I mentioned above, the Eloston site and the Softaro.net site do not show that pop up dialog box asking for permission to "Allow incoming connections". Chromium obtained from other sites may vary in that regard. The comment by "foliovision" referred to Brave, Opera and Chromium, as well as turning off completely the function to accept incoming connections. I do not know exactly how doing that would affect a browser, but I expect it would alter the function of a browser to a large extent.
I think we need an expert's opinion here. Would a browser work fine with that function turned off completely?
 

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
I do not know why Chromium doesn't get a signed certificate, nor do I know the process required to get one.
The point is that Chromium downloaded from the two sites I mentioned above, the Eloston site and the Softaro.net site do not show that pop up dialog box asking for permission to "Allow incoming connections".
Well if I look at my rules, it is blocked for the google chrome helper app, and I deny it every time I start the app, and it works fine, which suggests that no part of browsing any site requires the app having the ability to accept incoming connections.

The other question is whether that popup means do you want to allow it in general, or whether it occurs because something is trying to make the connection, which then raises the question of what that is, and how it's even making a connection to a device that, at least in my case, is behind a hardware firewall on both networks. Moreover, this only began after an update, which I would think would imply a certain feature of chrome, but I have been unable to determine what that could be.
 
  • Like
Reactions: foliovision

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
Ok so according to apple:
Some apps check their own integrity when they are opened without using code signing. If the firewall recognizes such an app it doesn't sign it. Instead, it the "Allow or Deny" dialog appears every time the app is opened. This can be avoided by upgrading to a version of the app that is signed by its developer.
So is there a way to determine why Google Chrome, or its helper apps, are for some reason no longer signed correctly, if that is what is happening?
 

foliovision

macrumors regular
Jun 11, 2008
190
91
Bratislava
I really don't understand why you don't want the browser to accept incoming connections, only outgoing ones.
I don't want websites connecting to my computer. I'm happy with one way connections, thank you. Applications with certificates verified by Apple/Google/Microsoft might protect you from street criminals but they don't protect you from commercial spyware or state snooping.
 

davidlv

macrumors 68020
Apr 5, 2009
2,291
874
Kyoto, Japan
I don't want websites connecting to my computer. I'm happy with one way connections, thank you. Applications with certificates verified by Apple/Google/Microsoft might protect you from street criminals but they don't protect you from commercial spyware or state snooping.
There is the option to turn off allowing all incoming connections in the Firewall options, have you seen that?
That dialog box does mention that certain network functions cannot be completely turned off. I am not well informed regarding the related network functions and protocols, so I am not sure how that affects our security.
In your case, perhaps a commercial firewall solution may be necessary. Have you looked into that option?
 

colinwil

macrumors 6502
Nov 15, 2010
296
167
Reading, UK
  • Like
Reactions: foliovision

Obviouslynotmyuser

macrumors newbie
Jun 18, 2022
1
2
Hey guys, I stumbled upon this thread after researching this rather strange problem.

TLDR: I believe this might be a security exploit (do not click "Allow")

Let me explain.

I began receiving the popup seeking authorization to Deny or Allow incoming connections to the application "Google Chrome Helper.app" a couple of weeks ago. I kept denying the request because I obviously didn't know from where the incoming connection was originating. I accepted it one day I was feeling annoyed and made no more note of it.

Days later, it turns out that my Mac made a notification sound it has never made before right around when I was *undressing* in front of it. Sure, this might be a hunch, but it made me feel observed. It sounded like a recording beep.

So I kept my trousers on and ran multiple deep scans and checks, however it all came back clean.

I then proceeded to update Mac OS. For a strange reason, though, the computer was not executing the restart command through System Preferences. I closed everything, tried again--still nothing. I was about to restart the computer manually when I just randomly decided to toggle off my connection to the Internet. *Boom*

Restart.

The update was applied, however the next round of updates was still being impacted by the same behavior--in other words, restart command not being executed, toggled off Wi-Fi, boom, restart.

And once the final restart brought my Mac back to its login screen: voilà voilà, the prompt asking whether "Do you want the application 'Google Chrome Helper.app' to accept incoming network connections?" reappeared in all its glory after inputting my password.

I tracked down the incoming connection to the Chrome extension "Videostream for Google Chromecast™" which was probably making use of the old, discontinued "Chrome Remote Desktop" as well. (I know, I should know better than to keep old apps installed.)

I have also noticed that the exploit toggled off my volume controls visibility in the Menu Bar (again, perhaps linked to my hunch about that strange beep).

However, I am still unable to find the file seeking authorization to accept incoming network connections. In fact, going through the Firewall to "Show in Finder" to fetch the file does nothing. This leads me to believe part 2 of the problem is still saved somewhere in my system. To be fair, I don't think whether the real Chrome Helper App is behind this behavior. Or if it is, the exploit is relying on it to initiate the connection.

Unfortunately I don't posses the deep-system tinkering expertise required to find it. Any suggestions?

Mid 2012 Macbook Pro 9,2 running Catalina 10.15.7 (19H1922); 16GB RAM; OWC SSD Data Doubler.
 

Attachments

  • Screen Shot 2022-06-18 at 12.45.25 PM.png
    Screen Shot 2022-06-18 at 12.45.25 PM.png
    33.7 KB · Views: 366
  • Screen Shot 2022-06-18 at 12.46.03 PM.png
    Screen Shot 2022-06-18 at 12.46.03 PM.png
    270.3 KB · Views: 369
  • Screen Shot 2022-06-17 at 11.59.06 PM.png
    Screen Shot 2022-06-17 at 11.59.06 PM.png
    46.3 KB · Views: 326
  • Screen Shot 2022-06-18 at 2.52.18 PM.png
    Screen Shot 2022-06-18 at 2.52.18 PM.png
    14.9 KB · Views: 223
Last edited:

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
I tracked down the incoming connection to the Chrome extension "Videostream for Google Chromecast™" which was probably making use of the old, discontinued "Chrome Remote Desktop" as well. (I know, I should know better than to keep old apps installed.)
So you had this extension installed under more tools-> extensions?

Well then that's an issue because I don't have that. Also, I find it unlikely it's an exploit given the large amount of posts I have been able to find about it. How were you able to determine where the incoming connection was going to?

Also I am pretty sure the reason you can't view it in finder is because it can't be navigated to outside of actually clicking on the app and using show package contents.
 

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
The bottom line is there’s no way I’d let any piece of software start hosting a server on my Mac without supplying any details of why it’s doing that.

Someone asked the question on the Google forums, and it instantly got blocked - with replies disabled: https://support.google.com/chrome/thread/17996006/why-does-chromium-offer-incoming-connections?hl=en

Time to break out Wireshark - though I suspect any traffic to it will be encrypted.
I take it you are seeing the same thing? Edit: Did wireshark show anything?
 
Last edited:

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
Ok so using /usr/libexec/ApplicationFirewall/socketfilterfw --listapp, despite showing up as com.google.chrome.helper, it doesn't appear as a rule through the terminal, only in the system preferences.
 

humpbacktwale

macrumors regular
Original poster
Dec 20, 2019
204
33
Hey guys, I stumbled upon this thread after researching this rather strange problem.

TLDR: I believe this might be a security exploit (do not click "Allow")

Let me explain.

I began receiving the popup seeking authorization to Deny or Allow incoming connections to the application "Google Chrome Helper.app" a couple of weeks ago. I kept denying the request because I obviously didn't know from where the incoming connection was originating. I accepted it one day I was feeling annoyed and made no more note of it.

Days later, it turns out that my Mac made a notification sound it has never made before right around when I was *undressing* in front of it. Sure, this might be a hunch, but it made me feel observed. It sounded like a recording beep.

So I kept my trousers on and ran multiple deep scans and checks, however it all came back clean.

I then proceeded to update Mac OS. For a strange reason, though, the computer was not executing the restart command through System Preferences. I closed everything, tried again--still nothing. I was about to restart the computer manually when I just randomly decided to toggle off my connection to the Internet. *Boom*

Restart.

The update was applied, however the next round of updates was still being impacted by the same behavior--in other words, restart command not being executed, toggled off Wi-Fi, boom, restart.

And once the final restart brought my Mac back to its login screen: voilà voilà, the prompt asking whether "Do you want the application 'Google Chrome Helper.app' to accept incoming network connections?" reappeared in all its glory after inputting my password.

I tracked down the incoming connection to the Chrome extension "Videostream for Google Chromecast™" which was probably making use of the old, discontinued "Chrome Remote Desktop" as well. (I know, I should know better than to keep old apps installed.)

I have also noticed that the exploit toggled off my volume controls visibility in the Menu Bar (again, perhaps linked to my hunch about that strange beep).

However, I am still unable to find the file seeking authorization to accept incoming network connections. In fact, going through the Firewall to "Show in Finder" to fetch the file does nothing. This leads me to believe part 2 of the problem is still saved somewhere in my system. To be fair, I don't think whether the real Chrome Helper App is behind this behavior. Or if it is, the exploit is relying on it to initiate the connection.

Unfortunately I don't posses the deep-system tinkering expertise required to find it. Any suggestions?

Mid 2012 Macbook Pro 9,2 running Catalina 10.15.7 (19H1922); 16GB RAM; OWC SSD Data Doubler.
Also, unless you have port forwarded on your router, no one outside of your network will be able to connect to you mac inside the network, which means if someone had done this, it would have to be from inside your network.
Still think it's not the case though.
 
  • Like
Reactions: colinwil

nottafanboi

macrumors newbie
Jul 11, 2022
2
2
Also, unless you have port forwarded on your router, no one outside of your network will be able to connect to you mac inside the network, which means if someone had done this, it would have to be from inside your network.
Still think it's not the case though.

Yeah, no...not sure who told you that, but that's patently false. If a system has been compromised, it doesn't matter whether or not you've punched any holes in the firewall because almost no home (or even small business) networks have any egress rules. Even if they did, threat actors are sufficiently clever nowadays that they'd find a way to piggyback their C2 traffic on the ports that are open.
 
  • Like
Reactions: foliovision
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.