Managing your Chromebook security settings is a constant battle. Today’s students can be surprisingly resourceful and creative when it comes to “hacking” a Chromebook. There are three creative exploits that caught my attention:

1. 🌊 Tab Flooding – Imagine trying to push 100 people through a single doorway at the exact same second. The door frame creates a bottleneck and everything stops. Students do this digitally by running a script that opens hundreds of browser tabs instantly. This overwhelms the Chromebook’s processor, often causing your web filter extension (like GoGuardian, Securly, or Lightspeed) to crash. Once the filter crashes, the device is open to the web.
2. 📜 History Manipulation – Your filter relies on knowing where a student has been. Students have developed methods to “scrub” or alter the browser history in real-time. This effectively creates a “ghost mode,” tricking the browser and your filter into thinking they are on a safe educational site when they are actually playing games or browsing unrestricted content.
3. 💉 Java Injection – This exploit uses “bookmarklets” – little snippets of JavaScript code saved as a bookmark on the bookmarks bar. When a student is on a restricted page, they click the bookmark, and it “injects” code into the page to rewrite the rules. This can be used to unblock games, alter text, or bypass restrictions on a specific page.

These exploits require a reasonable understanding of ChromeOS and web development to enable. I would not expect the majority of your students to be able to easily access these strategies, but every school district has a few! Updating your Chromebook security settings will help protect you against these (and many other) vulnerabilities.

Step 1: Enable these three policies

There are three basic policies that you should implement to improve your Chromebook security settings. These policies are very basic and should be enabled by all school districts to ensure their Chromebook fleet is optimized for learning:

1. Turn on automatic updates – Google regularly patches ChromeOS to fix legitimate vulnerabilities. Running the current version of chrome is the #1 way to prevent abuse. 
2. Block system URLs – many of these exploits require access to internal Chrome:// pages. These internal URLs should be disabled for students through the admin console. 
3. Disable Bookmarklets – Adding “javascript://*” to the URL blocklist in the admin console will prevent students from running bookmarklets that can interfere with your web filter.

Even with these three policies in place, a motivated student can still implement variations of the three exploits outlined above. I have one more strategy to share with you that will improve your Chromebook security settings even further!

 

You Shall Not Pass! 🧙

Fellow IT admin Jim Tyler has been developing a Chrome extension called “You Shall Not Pass” that scans for and blocks variations of the three exploits that I described above. Jim has done the hard work for all of us!

When combined with the policies outlined above, your district will have a strong defense against these known exploits. 

Jim has successfully deployed this extension to 10,000 Chromebooks in his district and has generously made it available to all K12 schools free of charge. This extension is safe, privacy compliant, and ad-free. All data processing occurs locally; no data leaves the device which makes it safe to use in states with strong student data restrictions.

Students are getting more creative in their ability to bypass required technology safeguards, but the IT directors aren’t doing so bad either!  

Learn more about this topic: 

• Student GitHub exploit repository (a long list of crowd-sourced hacks by and for students)
• You Shall Not Pass chrome extension
• You Shall Not Pass GitHub repository
• K12SysAdmin Reddit thread
• Connect with and thank Jim Tyler

Interested in more tips like this? Join the Google Admin weekly, my free email newsletter for IT administrators!