Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests

Ability to block 'view source' for specific URLs hasn't actually worked for years


Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week.

Back on October 15, 2018 an employee of Amplified IT, a Google education partner since acquired by CDW, filed a bug report describing how the Chromium URL Blocklist – which administrators can set to conform with organization or enterprise policy – doesn't actually work.

Evidently, tech savvy students were viewing the source code of web-based tests to determine the answers.

"With view-source in the URLBlacklist, the view-source:http://[URL] should not be available," the bug report explains. "With schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers."

Students are able to use this shortcut to search through the source of the page, and determine the correct answers

Despite ample evidence that this was a problem, in the form of confirmation from Google employees reporting similar concerns from education customers and from videos explaining how to view web page source code to cheat, the bug that prevented URL Blocklist from catching when a URL contains the view-source: prefix lingered untended until a few days ago.

It was fixed by Microsoft principal program manager Eric Lawrence, a veteran browser developer who also spent several years at Google. Microsoft's Edge browser, like Google'e Chrome, is based on the open-source Chromium project.

The abstract prospect of losing access to the ability to view web page source code alarmed various people online and without any basis was linked to a recent public spat involving the viewing of web source code: Missouri Governor Mike Parson's absurd claim that a reporter's scrutiny of webpage code to uncover insecure data handling amounted to unlawful hacking.

While there is some reason to complain that Chromium will finally get URL Blocklist working as intended – no one likes to be treated like a child or to have their tools hobbled by an administrator – it's really not much of one.

In the context of education, it's possible to argue that denying students the ability to view web source code will foreclose a longstanding path to learning how to write web applications. Ignoring how popular web apps are often obfuscated to prevent meddling, this bug fix hardly denies all avenues for looking at web pages, like saving them locally and then opening them in a text editor (though that too can be blocked via policy controls).

Attempting to address critics, Lawrence explained his rationale for squashing the URL Blocklist bug in a post to Hacker News earlier this week. He wrote:

  1. I landed this fix because there was a policy that did not work properly. We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
  2. This policy only can be set on managed machines.
  3. This policy, in isolation, is trivially circumvented. Managed environments block many things, including many of the proposed circumventions here.
  4. I've built one of the world's most popular tools for viewing and modifying web traffic. The narrative that this feature has broad implications for anything is absurd.

Not everyone accepted that explanation. In reply, Janne Mareike Koschinski, a computer scientist based in Germany who maintains Quasseldroid, condemned Lawrence.

"Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that," Koschinski wrote. "This curiosity needs to be encouraged, not stopped. … If you contribute to this culture of closed technology, you are just as well at fault as developers of DRM tech or Android SafetyNet."

Apple Safari icon

Apple's Safari browser runs the risk of becoming the new Internet Explorer – holding the web back for everyone

READ MORE

That's one way to look at it, though it dismisses pretty much everyone who has worked for Microsoft, Google, Apple, and every other commercial technology company that has implemented any system that recognizes permission settings and user privileges.

Let's assume for the sake of moving things along that Lawrence's bug fix isn't the Orwellian boot of oppression alluded to above. Nonetheless, it is adjacent to legitimate concern about technological disempowerment, for which there are far better examples, such as proctoring software that surveils students and their devices, or work-monitoring software that applies similar scrutiny to remote workers.

It's fair to say there should be more discussion with the privileged who apply administrative controls – schools, employers, and other authorities – to explore what's reasonable and what's oppressive, particularly in the US where freedom is something that supposedly can be had. We should all be so fortunate as to have our IT tools work for us rather than against us.

Until that gets resolved, cherish the software bugs – the enduring shoddiness of software ensures any technical expression of authoritarianism will be hackable. ®


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022