Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests

Ability to block 'view source' for specific URLs hasn't actually worked for years

Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week.

Back on October 15, 2018 an employee of Amplified IT, a Google education partner since acquired by CDW, filed a bug report describing how the Chromium URL Blocklist – which administrators can set to conform with organization or enterprise policy – doesn't actually work.

Evidently, tech savvy students were viewing the source code of web-based tests to determine the answers.

"With view-source in the URLBlacklist, the view-source:http://[URL] should not be available," the bug report explains. "With schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers."

Students are able to use this shortcut to search through the source of the page, and determine the correct answers

Despite ample evidence that this was a problem, in the form of confirmation from Google employees reporting similar concerns from education customers and from videos explaining how to view web page source code to cheat, the bug that prevented URL Blocklist from catching when a URL contains the view-source: prefix lingered untended until a few days ago.

It was fixed by Microsoft principal program manager Eric Lawrence, a veteran browser developer who also spent several years at Google. Microsoft's Edge browser, like Google'e Chrome, is based on the open-source Chromium project.

The abstract prospect of losing access to the ability to view web page source code alarmed various people online and without any basis was linked to a recent public spat involving the viewing of web source code: Missouri Governor Mike Parson's absurd claim that a reporter's scrutiny of webpage code to uncover insecure data handling amounted to unlawful hacking.

While there is some reason to complain that Chromium will finally get URL Blocklist working as intended – no one likes to be treated like a child or to have their tools hobbled by an administrator – it's really not much of one.

In the context of education, it's possible to argue that denying students the ability to view web source code will foreclose a longstanding path to learning how to write web applications. Ignoring how popular web apps are often obfuscated to prevent meddling, this bug fix hardly denies all avenues for looking at web pages, like saving them locally and then opening them in a text editor (though that too can be blocked via policy controls).

Attempting to address critics, Lawrence explained his rationale for squashing the URL Blocklist bug in a post to Hacker News earlier this week. He wrote:

  1. I landed this fix because there was a policy that did not work properly. We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
  2. This policy only can be set on managed machines.
  3. This policy, in isolation, is trivially circumvented. Managed environments block many things, including many of the proposed circumventions here.
  4. I've built one of the world's most popular tools for viewing and modifying web traffic. The narrative that this feature has broad implications for anything is absurd.

Not everyone accepted that explanation. In reply, Janne Mareike Koschinski, a computer scientist based in Germany who maintains Quasseldroid, condemned Lawrence.

"Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that," Koschinski wrote. "This curiosity needs to be encouraged, not stopped. … If you contribute to this culture of closed technology, you are just as well at fault as developers of DRM tech or Android SafetyNet."

Apple's Safari browser runs the risk of becoming the new Internet Explorer – holding the web back for everyone


That's one way to look at it, though it dismisses pretty much everyone who has worked for Microsoft, Google, Apple, and every other commercial technology company that has implemented any system that recognizes permission settings and user privileges.

Let's assume for the sake of moving things along that Lawrence's bug fix isn't the Orwellian boot of oppression alluded to above. Nonetheless, it is adjacent to legitimate concern about technological disempowerment, for which there are far better examples, such as proctoring software that surveils students and their devices, or work-monitoring software that applies similar scrutiny to remote workers.

It's fair to say there should be more discussion with the privileged who apply administrative controls – schools, employers, and other authorities – to explore what's reasonable and what's oppressive, particularly in the US where freedom is something that supposedly can be had. We should all be so fortunate as to have our IT tools work for us rather than against us.

Until that gets resolved, cherish the software bugs – the enduring shoddiness of software ensures any technical expression of authoritarianism will be hackable. ®

Send us news

Google submits complaints about Microsoft licensing to UK competition regulator

Now Microsoft has regulator breathing down its neck in three regions

Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes

Plus: 3 critical CVEs in Zyxel NAS devices

Microsoft issues deadline for end of Windows 10 support – it's pay to play for security

Limited options will be available into 2028, for an undisclosed price

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Akamai says it reported the flaws to Microsoft. Redmond shrugged

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Today's 'China is misbehaving online' allegations come from Google, Meta

Zuck boots propagandists, Big G finds surge of action directed at Taiwan

Either the FBI is recruiting in Iran – or some govt Google ad buyers are getting a lousy deal

Advertisers may be surprised to find where their banners appear

Microsoft's bug bounty turns 10. Are these kinds of rewards making code more secure?

Katie Moussouris, who pioneered Redmond's program, says folks are focusing on the wrong thing

Google launches Gemini AI systems, claims it's beating OpenAI and others - mostly

Gemini accepts text, images, audio, and video and comes in three flavors

Time to take action: Google's inactive account purge begins Friday

You should've received an email if you're affected, but here's a reminder just in case

Google releases fix for missing Drive for desktop files

Just install the latest client and follow the instructions, but don't ask questions

How to give Windows Hello the finger and login as someone on their stolen laptop

Not that we're encouraging anyone to defeat this fingerprint authentication