this post was submitted on 26 Jun 2023
84 points (100.0% liked)

Technology

37799 readers
277 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

A dev recently discovered a browser built into the settings (for any google app that lets you edit settings). From there you can bypass parental controls or enterprise restrictions.

This is a pretty exciting "extra feature", Google!

top 18 comments
sorted by: hot top controversial new old
[–] sibloure@beehaw.org 57 points 2 years ago (2 children)

This is kinda funny. During a family vacation as a kid, I went down to the hotel business center to use a computer kiosk but it required payment. I was bored so I was clicking around on the locked screen's hotel logo and got to their company about page, and a bit more link clicking eventually got me out of the company's website and to a google search page. I browsed for free for what seemed like an hour and did it again the next day before we went home.

[–] variants_of_concern@lemmy.one 20 points 2 years ago (1 children)

boredom has made me the man I am today, its tough now a days to get bored and not pull out your phone and browse lemmy instead of doing your hobbies

[–] troyunrau@lemmy.ca 6 points 2 years ago (2 children)

I have a memory of something similar at a travel tourism kiosk. Kiosk was locked to their webpage. Right clicked an image, chose "save as", navigated to something with a folder, right clicked and chose "Open in New Window" (might be misrembering -- older version of windows) to pop up Windows Explorer. Windows Explorer, at the time, embedded Internet Explorer 4 if you typed a URL in the address bar, so off the races I was.

Life before smartphones, man.

[–] spunker88@kbin.social 6 points 2 years ago (1 children)

The older versions of IE back in the Windows 9X era would essentially turn into Windows Explorer if you put a local file path into them. I remember using this exploit back in the day on our school computers that ran a locked down version of Windows where you couldn't browse anything in Windows Explorer beyond your personal network folder. I found that by typing C:/ into the IE address bar it would turn IE into Windows Explorer mode and from there I had full access to the C drive and could even open up the folder tree sidebar thing and browse the local network, finding all sorts of folders that I wasn't supposed to be able to access.

[–] troyunrau@lemmy.ca 1 points 2 years ago (1 children)

Right! Just typing C:\Windows\command.com in the address bar was usually enough to completely control a system :)

[–] sibloure@beehaw.org 1 points 2 years ago

That is evil genius and I love it.

[–] sibloure@beehaw.org 2 points 2 years ago

Haha, yes! Sounds about right. Someone could create a puzzle game where you trying to escape a vendor kiosk and it gets progressively more complex as you go on.

[–] TWeaK@lemm.ee 20 points 2 years ago (2 children)

This isn't a secret browser, it's Android System Webview - the system browser apps use when they aren't a browser.

What they've found here is a route to google.com from a webview page accessed from within the settings.

[–] wet_lettuce@beehaw.org 3 points 2 years ago (1 children)

100% but I believe these are typically locked down to one domain, and in this case its not.

At least thats how I understand it. So I guess the article is a little misleading in that sense, but the net effect is the same. You have carte blanche access to the web, via android system webview, thats acting as a de-facto out-of-band browser. So its misconfigured or not locked down, which means you can use it effectively as a "hidden" browser.

[–] TWeaK@lemm.ee 6 points 2 years ago

ASW isn't locked down to any domains though, it's just a basic browser, one that typically doesn't let you type in a url to go to any other domains. It's not locked down, you're just limited in how you can navigate.

What happened here is someone managed to navigate from one page to another page and then another, in order to ultimately get to google.com and search for whatever page they wanted. The initial web pages presented linked outside of what it maybe should have.

Whether ASW should be under parental controls is another matter. Apparently it isn't (at least not parental controls that affect only installed browser apps) but that could have valid functional reasons behind it.

[–] sznio@beehaw.org 1 points 2 years ago* (last edited 2 years ago)

I think the mm object is the most worrying thing about this, not the fact that it's a standard WebView.

[–] MyMulligan@lemmy.one 9 points 2 years ago (3 children)

Curious if someone in an abusive relationship could use this trick if their phone was being monitored. If the abuser was just monitoring them with the phone's parental controls this would work but if there was an app probably not?

[–] RandoCalrandian@kbin.social 10 points 2 years ago

They’re already in an abusive relationship, with Google

[–] troyunrau@lemmy.ca 1 points 2 years ago

Unfortunately, it's hard to discover this trick on its own, unless you're already clever enough to find other ways around it.

[–] Moonrise2473@feddit.it 1 points 2 years ago

the was a news here on lemmy where someone got in prison because the local county has put some malware in the phone. It logged a single request to Pornhub, so the guy bail was revoked

[–] CanadaPlus@lemmy.sdf.org 6 points 2 years ago

Lol, sort of confession time. I was writing an essay for a major exam once, and I tried using Word's built-in search function just to see if it would work. It did, and nobody was the wiser.

I didn't actually cheat; I didn't need to. But, I felt proud for figuring out a way I could have, haha.

[–] grey@discuss.tchncs.de 2 points 2 years ago

That's still pretty bad. I'm surprised google didn't think so.