Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests
Ability to block 'view source' for specific URLs hasn't actually worked for years
Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week.
Back on October 15, 2018 an employee of Amplified IT, a Google education partner since acquired by CDW, filed a bug report describing how the Chromium URL Blocklist – which administrators can set to conform with organization or enterprise policy – doesn't actually work.
Evidently, tech savvy students were viewing the source code of web-based tests to determine the answers.
view-source in the URLBlacklist, the
view-source:http://[URL] should not be available," the bug report explains. "With schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers."
Students are able to use this shortcut to search through the source of the page, and determine the correct answers
Despite ample evidence that this was a problem, in the form of confirmation from Google employees reporting similar concerns from education customers and from videos explaining how to view web page source code to cheat, the bug that prevented URL Blocklist from catching when a URL contains the
view-source: prefix lingered untended until a few days ago.
It was fixed by Microsoft principal program manager Eric Lawrence, a veteran browser developer who also spent several years at Google. Microsoft's Edge browser, like Google'e Chrome, is based on the open-source Chromium project.
The abstract prospect of losing access to the ability to view web page source code alarmed various people online and without any basis was linked to a recent public spat involving the viewing of web source code: Missouri Governor Mike Parson's absurd claim that a reporter's scrutiny of webpage code to uncover insecure data handling amounted to unlawful hacking.
While there is some reason to complain that Chromium will finally get URL Blocklist working as intended – no one likes to be treated like a child or to have their tools hobbled by an administrator – it's really not much of one.
In the context of education, it's possible to argue that denying students the ability to view web source code will foreclose a longstanding path to learning how to write web applications. Ignoring how popular web apps are often obfuscated to prevent meddling, this bug fix hardly denies all avenues for looking at web pages, like saving them locally and then opening them in a text editor (though that too can be blocked via policy controls).
Attempting to address critics, Lawrence explained his rationale for squashing the URL Blocklist bug in a post to Hacker News earlier this week. He wrote:
- I landed this fix because there was a policy that did not work properly. We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
- This policy only can be set on managed machines.
- This policy, in isolation, is trivially circumvented. Managed environments block many things, including many of the proposed circumventions here.
- I've built one of the world's most popular tools for viewing and modifying web traffic. The narrative that this feature has broad implications for anything is absurd.
Not everyone accepted that explanation. In reply, Janne Mareike Koschinski, a computer scientist based in Germany who maintains Quasseldroid, condemned Lawrence.
"Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that," Koschinski wrote. "This curiosity needs to be encouraged, not stopped. … If you contribute to this culture of closed technology, you are just as well at fault as developers of DRM tech or Android SafetyNet."
Apple's Safari browser runs the risk of becoming the new Internet Explorer – holding the web back for everyoneREAD MORE
That's one way to look at it, though it dismisses pretty much everyone who has worked for Microsoft, Google, Apple, and every other commercial technology company that has implemented any system that recognizes permission settings and user privileges.
Let's assume for the sake of moving things along that Lawrence's bug fix isn't the Orwellian boot of oppression alluded to above. Nonetheless, it is adjacent to legitimate concern about technological disempowerment, for which there are far better examples, such as proctoring software that surveils students and their devices, or work-monitoring software that applies similar scrutiny to remote workers.
It's fair to say there should be more discussion with the privileged who apply administrative controls – schools, employers, and other authorities – to explore what's reasonable and what's oppressive, particularly in the US where freedom is something that supposedly can be had. We should all be so fortunate as to have our IT tools work for us rather than against us.
Until that gets resolved, cherish the software bugs – the enduring shoddiness of software ensures any technical expression of authoritarianism will be hackable. ®
- App stores
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Palo Alto Networks
- Patch Tuesday
- Privacy Sandbox
- SQL Server
- Tavis Ormandy
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360
- Zero trust