Andrew Jorgensen
It's better than bad, it's good!

An iframe Easily Defeats Securly

insecurly

Securly is a content filtering service used extensively in the education sector. They have a Chrome extension the school enforces on student Chromebooks to block a wide variety of sites including time-wasters like slither.io. It has, I assume, a great reputation among school administrators and a long history of flaws exploited by persistent students.

Back in February 2017 I reported a trivial exploit to our School District, who reported it to Securly and included me in the support ticket. Of course they harassed my son about it, but we got that cleared up. Securly requested a phone call to discuss the issue in April 2017 but I must have been too busy for a call at the time. I sent them detailed instructions and live examples in June 2017. In April 2018 they got back to me with a note that they would get back to me again when they had an update from the developers. It's now November 2018. School is in session again. It's time to publish.

The exploit is super simple, and school districts all over the world are going to try a lot of stupid things like banning text editors to block it. Sorry about that, kids. And granted, this is very likely not Securly's fault. Far more likely Google doesn't give them enough control to allow them to plug this hole, for reasons that will be obvious to anyone who knows how Google makes money.

So here goes. If you're on a device restricted by Securly, head on over to http://s3-us-west-2.amazonaws.com/insecurly/iframe.html and type an http:// URL of a blocked site into the box at the top. Some sites will redirect to https://, as they certainly should, and so those won't work so well. For many of those, go to https://s3-us-west-2.amazonaws.com/insecurly/iframe.html instead. Most social media sites won't work, but a lot of time wasters will, and there are probably ways to improve the exploit so that some of the social media sites will to. Please comment if you know how.

What's going on? Securly can't block the contents of iframes. An iframe is a box on a website that contains another website. They're used extensively for ads, and they were very cool back in the 90s. You don't even have to host it on a server, if the site you're looking for doesn't require HTTPS. You can type it up in a text editor, save it to disk, and point your browser at it.

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>insecurly</title>
    <script type="text/javascript">
function load(element) {
    if (event.keyCode == 13) {
        document.getElementById('iframe').src = element.value;
    }
}
    </script>
  </head>
  <body>
    <div>
      <input type="text" size="60" onkeydown="load(this)"/>
    </div>
    <iframe id="iframe" src="about:blank" style="width:100%; height:600px;"></iframe>
  </body>
</html>

As a parent, I will be happier when Securly takes this seriously and finds a way to fix it, though I have a hunch the kids will always be one step ahead of them. Just the other day my younger son told me that they can also defeat Securly by loading 50 instances of the page they want at once (haven't tried it yet, but I'm sure it sometimes works). But Securly consistently failed to address the issue for more than a year, and I told them I intended to publish back in June 2017, so I finally got around to it.