I suggest that you...

Block chrome://inspect

I recently caught a student using a fairly clever exploit that allows a user to open a window in incognito mode, thus bypassing the GoGuardian extensions and filtering.

Reproduction steps are as follows (screenshots attached):
1. Power on Chromebook. This exploit is most reproduceable when the Chromebook is has been recently powered on.
2. Log in with an account that is subject to the GoGuardian extensions
3. Navigate to chrome://inspect in the browser
4. Click "Other" menu button on the left-hand side of the screen
5. You will see chrome://app-list and chrome://oobe/lock in this menu. If chrome://oobe/lock does not appear, wait a couple minutes and it should show up
6. Click "inspect" under chrome://oobe/lock - this will launch an inspect window in incognito mode
7. Click the "Audits" tab in the inspect window
8. Click the "Learn more" link to launch an incognito session in a full browser window

As the GoGuardian extensions are not loaded in incognito mode, this completely circumvents GoGuardian filtering and tracking within the incognito session.

This works even when developer tools and incognito mode are disabled in Google Admin as per GoGuardian setup instructions.

Fortunately, resolution is simple - all you need to do is blacklist chrome://inspect in Google Admin under Device management -> Chrome -> User Settings -> URL Blacklist or via the GoGuardian URL blacklist function.

I'd recommend either including chrome://inspect in the default GoGuardian blacklist, or updating the "Getting Started" documentation to add this to the Google Admin URL Blacklist.

5 votes
Sign in
(thinking…)
Sign in with: Facebook Google GoGuardian
Signed in as (Sign out)

We’ll send you updates on this idea

Taimur Gibson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

13 comments

Sign in
(thinking…)
Sign in with: Facebook Google GoGuardian
Signed in as (Sign out)
Submitting...
  • Oscar Ramirez commented  ·   ·  Flag as inappropriate

    blocking this can also be bypassed by going to taskbar and closing the backround processes for a limited time

  • Jose V. commented  ·   ·  Flag as inappropriate

    Sry bud we found a shortcut, its like inspect but we used something else, lets see here javascript:document.body.contentEditable = 'true'; document.designMode='on'; void 0
    speaking off the devil here it is HAHAHA go find another job go guardian.

  • Mr. Jones commented  ·   ·  Flag as inappropriate

    This only opened up more ways for my students to find a way to unenroll their computers all together! Please tell me how I can retrieve them after this!

  • KamS commented  ·   ·  Flag as inappropriate

    In the beginning, the trick work's good, but 1 week later the oobe/lock don't appear, i wait 1 hour and it don't appear, i restart the page and it don't works what i can do ? HELP PLEASE.ㅠㅠ

  • Kyle Tillman commented  ·   ·  Flag as inappropriate

    We just discovered this exploit two weeks ago and I've been shaking my head ever since. We have long had the Dev tools off but that didn't stop this from being accessible. We have since blocked Chrome://inspect but I'm just scouring the internet looking for more ways that the students will try and bypass our filter.

  • Tara commented  ·   ·  Flag as inappropriate

    I was able to block inspect in Google Admin Console: Device Management/Chrome Management/User Settings/User Experience/Developer Tools _Never Allow Developer Tools

  • Daniel commented  ·   ·  Flag as inappropriate

    Agree this would be a great default currently but may not be needed in the future as Google may fix it permanently.
    You can and should block chrome://inspect in Google Admin Chrome Management.
    This seems to mostly be a Google issue. I called support and spoke to them about the same thing. I have incognito mode restricted through Chrome Management as well but the oobe/lock inspect issue gives kids backdoor. Google advised me to blacklist chrome://inspect. They are working on a resolution.

Feedback and Knowledge Base