Summary
- Google’s parental controls in Family Link aim to protect children from harmful content on Android and ChromeOS devices.
- Parental controls can be set to block explicit sites automatically or allow/deny access to specific sites.
- A developer discovered an exploit that allows children to bypass these controls using a hidden browser within Google Play Services. A Google spokesperson has confirmed that the company is in the process of rolling out a fix.
Not all content on the web is safe for children. Google’s parental controls, part of Family Link, are a way to reduce exposure to potentially harmful content on children’s Android and ChromeOS devices, with parents in control of what apps and websites kids can visit. A recently discovered exploit might make it possible to fully circumvent any browsing restrictions thanks to a hidden browser, though.
There are a number of ways parents can use Family Link. They can simply use a toggle “try to block explicit sites,” which automatically bars access to most problematic websites for children, though as the name suggests, it isn’t perfect. It’s also possible to block or allow specific sites for a more hands-down approach. When needed, parents can also approve or deny requests from children to visit blocked sites.
All these controls only work in Google Chrome, with other browsers not affected by settings from Family Link. Normally, preventing children from installing a third-party browser does the trick to stop them from circumventing parental controls, but web developer matan-h spotted a secret way to get around parental controls using a hidden browser that’s part of the Google Play Services.
Accessing the browser requires creating or editing a contact and then adding a specific link (https://gds.google.com/gmsdrops) in their website field. After saving the contact, it’s possible to click the link, which leads to the “Your Android device just got better” page you often get served automatically after a system update. A tap on the Show me button leads to a more detailed description about the update, which will most likely have a Learn more link somewhere.
Once that’s tapped, an internal browser opens up that shows a Google help page with more information. Here, it’s possible to enter the hamburger menu, and then tap on Google. From there on, one can search the web and visit any website via the Google homepage.
Matan-h explains that the exploit works because Google doesn’t lock down the Play Services when parental controls are turned on, likely to prevent issues from cropping up with third-party apps and more that depend on the app. To prevent workarounds like this from working, parental controls normally don’t allow you to open deep links like https://gds.google.com/gmsdrops, but this restriction doesn’t seem to apply to the Contacts app.
The developer already contacted Google about the workarounds, with the company claiming that the parental controls are working as intended and that it won’t fix the problem, saying it’s not an abuse bug. At press time, we can confirm that the loophole is still present in our testing. However, we reached out to Google and got the following comment:
We are aware of this issue reported by an external researcher and are in communication with them regarding the report. Following an investigation of the root causes, we implemented a fix, which we are in the process of rolling out to Android users.
There was no word on when the fix might hit devices, but it’s good to see Google working so quickly to close this loophole.
Source link
