I recently caught a student using a fairly clever exploit that allows a user to open a window in incognito mode, thus bypassing the GoGuardian extensions and filtering.
Reproduction steps are as follows (screenshots attached):
1. Power on Chromebook. This exploit is most reproduceable when the Chromebook is has been recently powered on.
2. Log in with an account that is subject to the GoGuardian extensions
3. Navigate to chrome://inspect in the browser
4. Click "Other" menu button on the left-hand side of the screen
5. You will see chrome://app-list and chrome://oobe/lock in this menu. If chrome://oobe/lock does not appear, wait a couple minutes and it should show up
6. Click "inspect" under chrome://oobe/lock - this will launch an inspect window in incognito mode
7. Click the "Audits" tab in the inspect window
8. Click the "Learn more" link to launch an incognito session in a full browser window
As the GoGuardian extensions are not loaded in incognito mode, this completely circumvents GoGuardian filtering and tracking within the incognito session.
This works even when developer tools and incognito mode are disabled in Google Admin as per GoGuardian setup instructions.
Fortunately, resolution is simple - all you need to do is blacklist chrome://inspect in Google Admin under Device management -> Chrome -> User Settings -> URL Blacklist or via the GoGuardian URL blacklist function.
I'd recommend either including chrome://inspect in the default GoGuardian blacklist, or updating the "Getting Started" documentation to add this to the Google Admin URL Blacklist.
@The Hacker how
The Hacker commented
Goguardian is so trash I was able to hack it completely. I had dev tools blocked and dev mode blocked. I also had Gsuite on my Chromebook. I was able to remove it even though that was blocked. I was also able to remove the whole enterprise enrollment and management on the Chromebook. It was awesome and now I can do anything. All you have to do is have some hacking magic and some luck. So now I have a school Chromebook that when you turn it on it doesn't have and management and Goguardian is completely gone like ****. Go guardian deserves that because it Is so stupid and I was able to hack it completely if you want to know how I did it just ask me. THIS IS NOT A JOKE. I AM NOT RESPONSIBLE IF YOU GET CAUGHT USING MY METHOD
nun yaaaaaa commented
f*** go guardian
go guardian is for gays
Surjo Ganguly commented
This is a very nooby way of hacking out of it XD.
GoGuardian programmers think it's SO hard to break out of it.
I use a better strategy, but I won't be revealing it publicly because, duh!
(Contact me on Discord, my username is "DANK Walker 30263" if you want to know how to go past it)
go guardian should not be a ******* website i mean how do you ******* learn!
Kyle Tillman commented
We just discovered this exploit two weeks ago and I've been shaking my head ever since. We have long had the Dev tools off but that didn't stop this from being accessible. We have since blocked Chrome://inspect but I'm just scouring the internet looking for more ways that the students will try and bypass our filter.
I was able to block inspect in Google Admin Console: Device Management/Chrome Management/User Settings/User Experience/Developer Tools _Never Allow Developer Tools
Agree this would be a great default currently but may not be needed in the future as Google may fix it permanently.
You can and should block chrome://inspect in Google Admin Chrome Management.
This seems to mostly be a Google issue. I called support and spoke to them about the same thing. I have incognito mode restricted through Chrome Management as well but the oobe/lock inspect issue gives kids backdoor. Google advised me to blacklist chrome://inspect. They are working on a resolution.