Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Software

Applications

Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests

Ability to block 'view source' for specific URLs hasn't actually worked for years

Thomas Claburn Fri 12 Nov 2021  //  22:40 UTC

Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week.

Back on October 15, 2018 an employee of Amplified IT, a Google education partner since acquired by CDW, filed a bug report describing how the Chromium URL Blocklist – which administrators can set to conform with organization or enterprise policy – doesn't actually work.

Evidently, tech savvy students were viewing the source code of web-based tests to determine the answers.

"With view-source in the URLBlacklist, the view-source:http://[URL] should not be available," the bug report explains. "With schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers."

Students are able to use this shortcut to search through the source of the page, and determine the correct answers

Despite ample evidence that this was a problem, in the form of confirmation from Google employees reporting similar concerns from education customers and from videos explaining how to view web page source code to cheat, the bug that prevented URL Blocklist from catching when a URL contains the view-source: prefix lingered untended until a few days ago.

It was fixed by Microsoft principal program manager Eric Lawrence, a veteran browser developer who also spent several years at Google. Microsoft's Edge browser, like Google'e Chrome, is based on the open-source Chromium project.

The abstract prospect of losing access to the ability to view web page source code alarmed various people online and without any basis was linked to a recent public spat involving the viewing of web source code: Missouri Governor Mike Parson's absurd claim that a reporter's scrutiny of webpage code to uncover insecure data handling amounted to unlawful hacking.

While there is some reason to complain that Chromium will finally get URL Blocklist working as intended – no one likes to be treated like a child or to have their tools hobbled by an administrator – it's really not much of one.

In the context of education, it's possible to argue that denying students the ability to view web source code will foreclose a longstanding path to learning how to write web applications. Ignoring how popular web apps are often obfuscated to prevent meddling, this bug fix hardly denies all avenues for looking at web pages, like saving them locally and then opening them in a text editor (though that too can be blocked via policy controls).

Attempting to address critics, Lawrence explained his rationale for squashing the URL Blocklist bug in a post to Hacker News earlier this week. He wrote:

  1. I landed this fix because there was a policy that did not work properly. We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
  2. This policy only can be set on managed machines.
  3. This policy, in isolation, is trivially circumvented. Managed environments block many things, including many of the proposed circumventions here.
  4. I've built one of the world's most popular tools for viewing and modifying web traffic. The narrative that this feature has broad implications for anything is absurd.

Not everyone accepted that explanation. In reply, Janne Mareike Koschinski, a computer scientist based in Germany who maintains Quasseldroid, condemned Lawrence.

"Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that," Koschinski wrote. "This curiosity needs to be encouraged, not stopped. … If you contribute to this culture of closed technology, you are just as well at fault as developers of DRM tech or Android SafetyNet."

Apple's Safari browser runs the risk of becoming the new Internet Explorer – holding the web back for everyone

READ MORE

That's one way to look at it, though it dismisses pretty much everyone who has worked for Microsoft, Google, Apple, and every other commercial technology company that has implemented any system that recognizes permission settings and user privileges.

Let's assume for the sake of moving things along that Lawrence's bug fix isn't the Orwellian boot of oppression alluded to above. Nonetheless, it is adjacent to legitimate concern about technological disempowerment, for which there are far better examples, such as proctoring software that surveils students and their devices, or work-monitoring software that applies similar scrutiny to remote workers.

It's fair to say there should be more discussion with the privileged who apply administrative controls – schools, employers, and other authorities – to explore what's reasonable and what's oppressive, particularly in the US where freedom is something that supposedly can be had. We should all be so fortunate as to have our IT tools work for us rather than against us.

Until that gets resolved, cherish the software bugs – the enduring shoddiness of software ensures any technical expression of authoritarianism will be hackable. ®
Send us news
59 Comments

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Microsoft is a national security threat, says ex-White House cyber policy director

With little competition at the goverment level, Windows giant has no incentive to make its systems safer

Microsoft's playdate in Google's Privacy Sandbox gets messy

Targeted ads in Edge may be blocked before they even arrive

Google fires 28 staff after sit-in protest against Israeli cloud deal ends in arrests

Alphabet Workers Union says bosses refuse to listen to concerns

AI gold rush continues as Microsoft invests $1.5B in UAE's G42

Can regulators keep up?

Researchers claim Windows Defender can be fooled into deleting databases

Two rounds of reports and patches may not have completely closed this hole

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

'I want to buy a car. That's all'

Old Windows print spooler bug is latest target of Russia's Fancy Bear gang

Putin's pals use 'GooseEgg' malware to launch attacks you can defeat with patches or deletion

Google will delete data collected from 'private' browsing

Declares victory in settlement of class action lawsuit, but individual claims remain possible

Google One VPN axed for everyone but Pixel loyalists ... for now

Another one bytes the dust