A jumbo Chrome extension update focused on evasions

This past week saw the release of significant changes to our Chrome extension that make it resistant to evasion attempts. Please find our release notes from v2.54 below:

1) Killing the extension via Task Manager
One evasion that was reported by several of our customers involved students being able to shut the Chrome extension down via the Chrome Task Manager. Recent changes by Google meant that extensions that are pushed out via the GAfE control panel pop right back up. However, the student did have a few seconds during which they could open up an inappropriate site that is then not filtered retroactively by the filtering extension. The only known solution to this issue (used by competing Chrome extensions) involved renaming the extension to something innocuous sounding (ex: Chromium M). We quickly ruled out this approach since we felt that this constituted Security through Obscurity. We also asked our contacts at Google if they had plans to make any changes to the Chrome architecture that would make certain extensions “un-killable” by less privileged users. We were told that there were no such plans since this approach would introduce security/privacy issues (ex: a keystroke logger extension would be able to run as a privileged process).

Ultimately, our engineering team was able to devise an elegant approach to solving the problem. On start, the Securly Chrome extension blocks inappropriate content on all open tabs. Since the extension pops back up within a second or two after killing it, after a handful of attempts, a student who is trying to evade the extension using this approach will likely get frustrated and stop trying.

We’d like to give a shoutout to customers Lucas Cowden (Park Ridge-Niles School Dist. 64) and Kyle Freise (Batavia Public SD 101) who brought this to our attention.

2) Gaming the address bar for fun and profit
Our customer Phil Feichko brought this evasion to our attention: “Search for anything in omni/URL search box. Then, type site for bypass (maxim.com) in search box at top of browser window. (This is the Google search box with the text still displayed from the previous search.) Then click back arrow in browser. Then click the link for the site in the search results (maxim.com) This gives a one page at a time bypass for sites.”

Thanks Phil! – This issue has been addressed as well.

3) Web-cache based evasion
One of our developers found a way to evade Securly using the Chrome web-cache in certain corner cases. This issue has been addressed in the new release.

4) Initial Accept/Cancel button
This method of evasion was reported around the very first time the student faced an accept/cancel prompt from our extension requesting consent to be initialized. We explored all options available and found an elegant solution that not only fixes the evasion, but also gets rid of the accept/cancel prompt that confused some students. As a bonus, this solution also works offline!

5) Reloading issue
The “Reloading” issue that has affected some of you has now been fixed. We wanted to assure you that this issue did not affect any essential functionality.

Please do let us know if you have any additional questions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s