Why Securly did everything right and still has the easiest bypass

Securly is a really good extension.

Seriously, from a developer perspective, Securly is not only light-weight but has actually readable code. Securly's total size is around 1/20th the size of GoGuardian's. It successfully serves its purpose of blocking sites based on a school policy. It doesn't try to include a screen-recorder or logger into a massive clunky extension.

While it is vulnerable to point-blank, I wasn't able to find another way to bypass its filtering script without the use of third-party exploits.

Ah, yes, third-party exploits.

So basically, if Chrome actually worked properly, Securly would be very hard to bypass. But universal exploits like LTBEEF screw over all extensions, and there's nothing the extensions themselves can do about it.

Killcurly is just another instance of an extension putting their trust in the idea that Chrome actually works properly, and then Chrome, well, doesn't work properly. In this case, Chrome forgot to remove a settings URL which messes up scripts that the extension needs to run.

In early August of 2022, I was just messing around late at night on Chrome on my personal Windows computer. At the time, my main focus was an exploit to add personal user accounts to websites such as Gmail, even when adding them from settings was blocked.

Anyway, while messing around with sync (I think I was looking for a way to clear history), I found a button on chrome://settings which allows you to turn off sync. For Windows computers, this basically means that the Chrome profile is still signed into your school account, but things such as styles and policies don't apply.

When I clicked this "turn off sync" button, it took me to the URL below:

chrome://settings/signOut

This is a confirmation for whether you'd like to actually turn sync off (similar to /clearBrowserData). Once you confirm, sync is (of course) turned off, and your browser reverts to a default profile. Well, at least it does on Windows.

ChromeOS doesn't use the /signOut URL. Right? Oh.

As I found out that night, the URL still exists on ChromeOS, which is strange since I own a personal Chromebook and have never seen it actually being used anywhere.

So, anyway, I click the button and... nothing seems to happen. Which makes sense, because there's no part of ChromeOS where you're supposed to be signed into a Google account and still have a default profile.

But it turns out that the button actually does have some very subtle effects. Clicking it runs the code below:

chrome.send("TurnOffSync");

This is a message to the lower levels of the device which only chrome:// pages are allowed to use. The "TurnOffSync" command seems to achieve its goal by breaking a ton of account-related ties between the Chrome browser and the operating system of the Chromebook itself.

At the time, I realized that it allowed some people to add personal Google accounts to websites by visiting a specififc URL afterwards (this will be covered later in the article).

Once I made that discovery, I took a break and moved onto something else. I also found an alternate signOut URL but I don't feel like talking about it much publicly.

Then, in late November of 2022, zoroark#4285 on Discord messaged me about a simple exploit he found with this URL.

One thing that I have skipped mentioning is that the signOut URL breaks a certain API known as chrome.identity. It allows extensions to get data about a user who's signed into Chrome. When the ties are broken between ChromeOS and Chrome during the sync disabling process, this API completely fails.

I had already looked into this but quickly assumed that all extensions kept storage of who the user was. If they did this, the extension would only need one successful chrome.identity call, then it would block stuff until a powerwash. As such, I deemed this type of extension-tampering unviable.

But. Remember how I said Securly was so simple? Well, it turns out that Securly doesn't keep any long-term storage about who the user is. Instead, it fetches the user data every time the extension restarts. Specifically, it uses the code below:


      function fetchUserAPI() {

       chrome.identity.getProfileUserInfo(function(e) {

        var t = e.email;

        // Then it starts setting up the block policies

       })

      }

So basically, if you can get Securly to initialize while you are in the signOut state, it'll be broken until sync is re-established.

Now, here's the important thing: sync is re-established (and thus chrome.identity becomes re-functional) whenever you sign back into your Chromebook from the main account picker screen.

So now you have to figure out a way to restart Securly (or any extension for that matter) without fully signing out and back into your Chromebook. It turns out that there are at least four ways to do this:

Go to chrome://restart (however, this seems to sign some people out)
Go to a Securly extension page such as this one, then type chrome://kill or chrome://crash in Chrome's URL bar and press enter
Go to chrome://extensions and go to Securly's details, then click "Allow access to File URLs"
Use task manager (search+esc) and kill Securly, but this is blocked for most people

Now that we know how to do this, it's fairly easy to form a full exploit chain.

Full POC:

Go to chrome://settings/signOut on ChromeOS and click the blue button
Use one of the four methods in the paragraph above to reload Securly
Go to tinyurl.com/addsession and add your account back

Wait, what on earth is step three? Well, it turns out that there is a side effect to step one. Pressing the signOut button breaks all Google login features on websites since those are pretty well-linked with your actual Chromebook settings. It'll make any Google login screen break stuff and force you to re-activate sync.

However, I was able to find a very specific URL that adds an account to a website without messing up browser settings (again, it wasn't intended for ChromeOS). Due to policy misconfigurations, some people can even add personal Google accounts with this URL when they would otherwise be blocked. This is yet another Chrome oversight when it comes to managed accounts.

Anyway, this TinyURL link (which is what I found when I was first looking into signOut) is the final step in the exploit. You are left with Securly (and maybe a couple other extensions) completely broken but otherwise a completely normal browsing experience.

To undo killcurly, just sign out with ctrl+shift+qq and sign back in. Not tough at all.

Once again, zoroark deserves massive amounts of credit for this discovery. Killcurly is probably the easiest extension-disabling method that works for the majority of people on the latest version.

And yes, it is possible that this may work for other extensions as well. A few other minor extensions may also use the chrome.identity API too frequently, leading to tampering. I only chose to name it "killcurly" because Securly is much more popular than any other vulnerable extension.

If any Securly devs are reading this, I feel sorry for you. Sometimes Chrome just lets people down. Keep up the readable code!

Coming up next: LTBEEF and how it was found. Until next time!

Home