Home 零对冲(ZeroHedge)每日HackerNews

谷歌还有另一个秘密浏览器
Google has another secret browser

原始链接: https://matan-h.com/another-secret-browser

最近的一项发现揭示了谷歌 Android 平台中隐藏的、无法追踪的浏览器。 通过在“网站”部分中使用链接“gds。google。com/gmsdrops”创建修改后的联系人条目,人们可以在家长控制模式下访问 Google Android 浏览器,该模式以限制工作场所监控下的儿童或员工使用互联网而闻名。 Similarly, entering the link "https://podcasts。google。com" allows access to this covert browser even during Screen Pinning Mode, preventing users from exiting the current app without authorization, such as making a phone call through a third party application。 Although these features were considered intentional design choices aimed at overcoming limitations, security experts suggest caution and encourage responsible testing rather than exploitation。 This newly disclosed information highlights an intriguing potential for misuse amid heightened scrutiny surrounding privacy and data protection concerns across digital platforms。

不,不是指与零计划有关的谷歌。 这些是独立的实体。 然而,本节引用的声明意味着对先前提出的有关故意造成的安全缺陷与错误的论点的主观性质的评论。 “Toad pond”指的是可能针对 Android Webview 中的漏洞进行网络间谍活动或从事其他邪恶活动的恶意行为者,它强调了移动操作系统中开发人员、平台提供商和制造商做出的不良安全决策的真正后果。 These consequences can have dire effects on individuals, organizations, governments, and societies worldwide, resulting in substantial costs related to mitigations and remediations。 至于关于愚蠢和无能的声明,它表明在某些情况下,区分故意创建安全漏洞和由于个人或团队无法控制的因素(例如架构限制或设计不良的 API)而创建安全漏洞可能具有挑战性。 。 Ultimately, regardless of the cause or origin of the security flaw, addressing and resolving it is crucial for maintaining a robust and trusted computing environment for users globally。
相关文章
原文

I recently discovered [another] secret browser that is inside Google Play Services. The uniqueness of this browser is that it is accessible by a link. That means, it not only bypasses the “normal” google parental control, it also bypasses the “lock-down” mode (the “lock-down” mode is the “your device has been locked” screen in parental control). I also discovered a similar method which can be used to bypass the Android screen pinning feature from the Contacts app Todepond video in google play services app

TodePond YouTube video in Google Play Services app

  1. Enter the Contacts app - using the “emergency call” button after the normal unlock of the phone. (assuming you not are reading this blog in lock-down mode, you can just open the normal Contacts app).
  2. Edit existing contact (or add new contact), then edit it, and scroll until “More fields” and click on it.
  3. In the “Website” field enter this website: “https://gds.google.com/gmsdrops”.
  4. Save the contact, then click on the link.
  5. You should now see “Your Android device just got better” (it’s a Google lie 🙂). Click “Show me”.
  6. Click “Learn more”. If you don’t have that, click “next” until you have it.
  7. Now you are in the browser. Resize it by moving it up. Click the hamburger menu, then click the big “Google Help” text.
  8. Click the hamburger menu again. This time just click “Google”.
  9. You may or may not be already signed in to this browser. If you are signed in, you can log out from Google. It does not affect your Chrome browser. There you have it. A full untraceable browser inside the parental lock-down mode!

In lock-down mode, google “locks” all apps (including the android launcher and parts of the system) apart from “Google Play Services” (which is used to display the popup message and enforce restrictions) and the Contacts app (for phone). As last time, It’s still the fault of the same app: Google play services. https://gds.google.com/gmsdrops is a deeplink to the Android “what’s new”. (you can also open it from here, and if your browser forwards deeplinks you probably get a message asking you if you want to continue to external app/google play). While parental control doesn’t allow you to open deeplinks, it does allow the Contacts app to do so. When you click on the website field of a Contact, it’s the Contact app which opens the link. So it’s not blocked.

android (11+) has an Android screen pinning feature, which basically make it possible to give your phone to someone, open on a specific app, and prevent the user to move to another without your permission. I haven’t done research on that, but I believe the most popular use-case is when you give your phone to someone to make a phone call. This time we cannot use the same link as before, as screen-pinning prevents opening new apps, and the previous link opens the “Google Play Services” app. But we can use another deeplink which is managed by the same app: Google Podcast. It’s possible because this deeplink is opened as a popup window instead of a full app.

  1. Add website to contact in the same way as before. Enter the website “https://podcasts.google.com”
  2. Click the link when the app is pinned.
  3. You should now see the Google podcasts popup window. Click on the big icon of your Google account, then click “Content policies”. Now you are in the default browser. The exact place where you should not be when someone gives you their phone to call. For breakthrough use the same instructions as before:
  4. Click the hamburger menu, then click the big “Google Help” text.
  5. Click the hamburger menu again. This time just click “Google”. You got it. A complete bypass.

I reported it to Google, as two different cases : one for parental control bypass, and another one for android screen pinning bypass. They merged the parental one into the screen pinning bypass one, then they managed to “forget” about the duplicate cases. This is the response I’ve on the screen bypassing case (because of course screen bypassing and parental controls is intended to be bypassed): Android screen pinning bypass is the intended behavior

Google answer : Android screen pinning bypassing is the intended behavior

and this confusing response about the duplication: confusing google response about duplicate issues

Its not a duplicate. the issue was closed as duplicate of potentially another issue. It’s a seperate rewards program, and not our problem.

I hope you enjoy your secret untraceable browser.

联系我们 contact @ memedata.com