What do you need help with?

  1. Support
  2. Filter
  3. Troubleshoot

Filter - Resolving Blocked Sites from loading inside the Sign-in page

Securly Admin
Updated

Issue Overview

A bypass vulnerability has been identified affecting Chromebook users with the Securly extension, where certain third-party login workflows can be used to access restricted sites.

Root Cause

This bypass occurs because the sign-in page is a protected page where browser extensions, including Securly, cannot see or control what happens inside it due to user privacy reasons. 

Students may exploit a page’s login process to open a hidden web window that loads inside the protected space. As the main URL at the top address bar continues to show the user is on a trusted sign-in page, the extension is unaware of other sites being opened inside this space. This creates a temporary blind spot where the extension’s visibility is restricted by Chrome itself.

Resolution: Network-Level Enforcement

Since browsers extension cannot intervene at the UI level, the resolution involves enforcement via the network layer (DNS). When the student clicks a blocked link, the network identifies the outbound request and kills the connection before it loads.

1. DNS Filtering

  • Ensure that the school network is pointed to Securly’s DNS servers. 
  • Securly will enable DNS Filtering on ChromeOS devices for your school district. 

Please reach out to our Support team for any assistance concerning DNS filtering setup on ChromeOS devices.  
 

2. Admin-Level Mitigations (Optional)

To further harden your environment, Google Workspace Admins can implement the following settings, however, these may not apply to you if you use third-party authentication services for student logins. 

  • Disable OAuth Account Linking: Navigate to: Devices > Chrome > Settings > User & Browser Settings.
    • Find "Allow users to link their Google Account with third-party services" and set it to "Do not allow".
  • Block API Access:
    • Navigate to Security > API Controls > App Access Control.
    • Search for the required ‘third-party’ platform like GitHub and set it to Blocked. This removes the Sign-in workflow from the bypass path.

Known Limitations 

Double Logging: By running both Extension and DNS filtering simultaneously, activity reports may sometimes duplicate logs for the same event (one from the extension, one from DNS).


 

Was this article helpful?
6 out of 10 found this helpful
Have more questions?
Submit a request

Comments

0 comments

Article is closed for comments.

Articles in this section

See more