The Google for Education Community Platform

mpartenope4676 · ‎12-06-2024

These friggin kids! Bless them for their persistence. Hopefully one day it'll be put to better use. This YouTube Video show how to get around the web filter with the College Board kiosk app. Apparently this channel is filled with workarounds for all sorts of things!

https://www.youtube.com/watch?v=xkzDQO9H7hE

sundermannc · ‎12-06-2024

This is a pretty old workaround. I don't think it exists anymore as they (college board) don't use that app any more. Google this and you'll find a few reddit threads from 3 years ago.

To be fair, when this was a thing, it was something we dealt with a lot. Luckily, the kiosk apps we use don't have those kind of login workarounds any longer.

ddelboccio · ‎12-06-2024

I just blocked this kids entire channel.

steve · ‎12-06-2024

I think that kiosk app has been deprecated in favor of a Chrome extension that runs while the students are logged in (and hence should still be covered by your filter). See https://apclassroom.collegeboard.org/lockdown?SFMC_cid=EM1303493- and https://media.academicmerit.com/apclassroom/PreAP/CB+LockDown+Browser+for+Chromebooks_ADA.pdf?SFMC_c... .

We just run their "Blue Book" kiosk app they have which doesn't seem to have this vulnerability?

mpartenope4676 · ‎12-06-2024

I'll look into this, thanks! I feel like we tried it early on and it was glitchy so we continued with the kiosk app.

MarkLoundy · ‎12-06-2024

Forgive the public correction. It's "deprecated," not "depreciated."

Mark Loundy (He, Him, His)

Instructional Technology Specialist
De Vargas Elementary School
Ignited Fellow
Google Certified Educator

steve · ‎12-09-2024

Thanks, I've corrected the post.

9330cashmore · ‎12-06-2024

We also apply filtering rules to the different network /vLANs /subnets. Any device on the subnet student devices are on get the same filter rules just to stop things like this.

mpartenope4676 · ‎12-06-2024

We use LightSpeed and they advised us to not force devices to go through Relay Rocket/Network Agent/SmartShield or whatever it is they're calling it these days. They said to let the agent do the filtering. What I did just figure out however is a kiosk url blocking setting existings in the Admin Console here: DevicesChromeSettingsDeviceURL blocking. I just added policies.google.com and
support.google.com to the block list here. One could put an asterisk and block everything, but then one would have to figure out ALL the URLs are required for whichever kiosk apps you're using. 😞

9330cashmore · ‎12-06-2024

We are using LightSpeed Relay also. But in KIOSK mode Chromebooks dont have a "user session" to load the Relay extension. That is why LightSpeed DNS filter (Smart Shield /Network Agent /...) gets to do the work.

sleeciambra · ‎12-09-2024

I read about this last week - https://github.com/Blobby-Boi/ExtHang3r

It brings students to a page where they can hang and then kill extensions. I was able to kill the GoGuardian extension using a student account on one of our devices. You can block data://* or Chrome extensions to prevent it from working.

ddelboccio · ‎12-09-2024

My BLOCKED URLs settings for students already include "data://*", and it did not prevent this page from loading.

mpartenope4676 · ‎12-09-2024

Ok, forgive my ignorance, what does data://* block? And this is something that is suggested we add to URL Blocking under User settings as well as kiosk?

sundermannc · ‎12-09-2024

@sleeciambra I can confirm this works as a bypass to Securly too. As usual, their support didn't understand what I was saying at first, so I had to demonstrate it for them.

https://drive.google.com/file/d/1rfj41JObtFgHEjgcPg2exFZbPVrPeJ1f/view?usp=sharing

We did block data:// and that worked to stop the bypass. However, we quickly learned that this breaks some sites... One site being PearDeck, which is used by our teachers, so we had to unblock it. We are now blocking chrome://extensions instead, but this may have it's own challenges, to be determined on that.

@ddelboccio Make sure your blocked settings are on the user settings, not device settings, and it will block the data://*, if you want to go that route. (however, be aware that this will break some sites as we learned.)

If you are using GoGuardian, complain to your rep. Same with Securly. They need to patch this exploit. Also @sleeciambra it might be worth you starting a new thread for this, since it's a different topic than the college board app.

ddelboccio · ‎12-09-2024

When testing this from my student chromebook, I did not have to complete the second step of opening the extensions tab and disabling.

My GoGuardian extensions we disabled just from step 1.

Besides, I already have the extensions page blocked for students, so they wouldn't be able to access that part.

msnead · ‎12-10-2024

Two points:

#1) For the actual topic of this thread, we have this in the blocklist for the device settings (i.e. kiosks):

google.com
yahoo.com
bing.com
duckduckgo.com
tiktok.com
facebook.com
yandex.com
baidu.com
discord.com
youtube.com
ask.com
search.brave.com

along with "accounts.google.com" (without quotes) in the exceptions list. This prevents people from finding a way to navigate to most search pages and social media links, which are the primary means of exploiting the kiosks.

#2) @sundermannc thanks for your post and video link. I heard about this hack before but dismissed it when the data:// method didn't work for us, but the html code method worked just fine. We have also put in the chrome://extensions block for now.

In case anyone else is wondering, we tried just blocking the direct URL of the extension itself so that we didn't have to block the whole extensions interface. While the block works when going to the link directly, if you just navigate to the extensions management screen (chrome://extensions) and click on your filter's extension, it ignores the URL block until you refresh the page (... and then the browser crashes, lol).

We submitted a support ticket to our filter vendor (Linewize).

The Google for Education Community Platform

Students Using The College Board App to Get Around the Web Filter