return to table of content

Google has another secret browser

Lutzb
32 replies
5h0m

The Googles parental controls leave so much to be desired. There is a long running requests for disabling the Play Store app. Still this is not possible without using adb (which is not a good solution, it leads to other problems).

It feels like no real kids are testing the parental controls: For a long time it was trivially easy to circumvent a set YouTube time limit restriction by just opening Play Store, browsing to an app with a video in the screenshot list and head over to YouTube from there. My son actually showed me this when he discovered it.

oldandboring
13 replies
3h48m

Google parental controls are basically abandonware, they function poorly and awkwardly, and don't integrate well with other products/services such as Google Home and Google TV. I have a dense 5 page document I wrote up detailing all of this, and I have nobody to send it to.

Most of my frustrations come from the challenge of having 2 older (not toddler) kids, plus multiple Google devices (phones, tablets, Google TV's, PCs signed into Google Accounts). Google imagines parental control to be in the context of supervision, ie. this is Billy's phone and I'm going to physically hand it to him to use until he's done. And it's fundamentally device-level rather than account level, making it very cumbersome and easily circumvented -- let's say Jill has access via her account to 3 different Google TV's in the house. Family Link makes you say how much time she's allowed to spend on each TV per day. But to Jill, TV is TV, so if you leave her home alone unsupervised she'll just watch her quota on the first TV and then move on to the next.

My prevailing theories, mind you I have no evidence at all for this:

- These disparate product teams don't actually work closely together (and are probably incentivized to NOT work together)

- These are dead-end teams at Google. If you end up on one, your goal is to nominally ship something so you can go somewhere else.

- The product and engineering people who end up on the Family Link team don't actually have kids (they're too young), or if they do, they have like, one young kid.

cmrdporcupine
3 replies
2h16m

For comparison, and as a rant to substantially agree with you....

Microsoft has e.g. actual child Hotmail accounts, where the parent can whitelist who they can email and who can contact them. Gmail does not and has no intention adding such a thing. They did eventually add child accounts as part of the Family Link effort, but there's really no controls at that level. I recall seeing internally at Google that instead of adding such facilities to Gmail, they just preferred to a) cover their eyes and pretend that <13 year olds didn't have accounts by tossing that into the agreement and asking for a birthday b) proposing some blue sky alternative communication system for children (I forget the name of this effort, but it was I think 2016ish time frame?), but it had mock-ups and hand waving and big discussions and PRDs etc but was guaranteed to go nowhere because it was a giant vision parallel to y'know... actual-reality...

Microsoft also has global time limits across all devices. And far more granular control.

Anyways, you're substantially right about all this. It drove me nuts that we struggled to deal with access to harmful content and had no control over it, and the worst part of it was working at Google at the time and seeing just how not--seriously this is taken or at least the level of organizational paralysis that was preventing action.

Apple's system isn't much better than Google's FWIW.

monkpit
1 replies
36m

Microsoft’s family thing is better but still not good. Simple things like adding more time or allowing purchases or adding funds with gift cards routinely fail with meaningless errors along the lines of “failed”. Or worse, a success message but there was a failure and the action doesn’t actually take effect.

The moral here is all parental controls are crap because they don’t directly drive revenue. (Yes, you can say “but I would prefer to use a service with better controls, which drives adoption”, but let’s be honest - we are a minority there). Nobody’s getting promoted for making the best parental control suite.

cmrdporcupine
0 replies
29m

Sure, and for ad-revenue driven companies like Google and Meta having good parental controls actually harms their business instead of improving on it. The incentives are all wrong.

That, and parents only have kids of the age that this is of relevance for, for maybe 4, 5, 6 years. So you're targeting a feature not only for a small segment, but one that is transient.

And if you screw it up, there's all sorts of potential for liability. You have to be careful about what you promise, etc. etc.

All the more reason why the answer probably comes down to: gov't regulation instead of expecting them to do this voluntarily.

ryandrake
0 replies
1h55m

My kid (under 13 y.o.) and all her friends know that when you sign up for some online service, you always need to give a birthday such that your age is 13+. Many services are totally nerfed to the point of uselessness if you say you are under 13, and/or won't even let you sign up. Also, some companies blacklist your E-mail address if you ever say you are under 13, so you can't try to sign up as a 10 year old, realize your mistake, and then try to re-sign up with the same E-mail as a "14 year old". Consequently, circumvention techniques get around pretty quickly among the pre-teen circles.

bee_rider
3 replies
3h24m

They probably realize it is hopeless to try to lock motivated kids out of their devices. And it might be a nostalgic memory for them, maybe they aren’t too motivated to implement this stuff. Most of us had full control of our devices growing up, right?

oldandboring
0 replies
1h30m

Locking kids out of a device is what Family Link excels at. You go in, you select the kid, you select the device, you click Lock.

Here are things you cannot do:

- Create a global screen time limit across all devices regardless of how that time is used.

- Create a PIN for Google TV that prevents kids from switching to an adult account in order to access more apps. Right now it's the other way around, you can set a PIN that prevents a kid from accessing their own account (again, because supervision!) but that kid can easily switch over to the adult account if they want.

- Require that when an idle Google TV exit to the 'user selection' screen after a timeout. Right now a kid can just walk up to the TV and start using my profile and apps because I was the last one to use it.

As for nostalgia, I think that's overthinking it.

monkpit
0 replies
41m

No, parental controls don’t drive revenue so they get abandoned. No manager type is getting promoted for creating an amazing parental control product.

hunter2_
0 replies
2h32m

Nostalgia time.

Most of us had full control of our devices growing up, right?

Devices, yes. Internet connection: not at first. With the AOL app (not a separate appliance or OS feature) responsible for establishing the dialup connection, it only bridged internet access to the OS when the current AOL user had no parental controls. As a 10-14 year old whose AOL account was set to "young teen" (DNS allow list) and then "mature teen" (DNS deny list), I was free to use non-AOL apps but they had no internet access. Solution: download a keylogger* and subsequently use a parent's AOL account for the next few years until they removed controls from mine, giving full Internet access to the whole computer, without being found out.

*The free version had a "pay for this" nag popup every few minutes. I opened the exe in a hex editor, typed over that nag string, and managed to corrupt it just enough that it would crash (with a totally generic fatal error) instead of nag. Launched it right before finding mom or dad to help me do some safe but blocked activity, which they were always happy to do, with increased supervision.

jszymborski
1 replies
3h9m

Once the dust from the YouTube Ad-pocalypse settled and advertisers started spending money again, I feel like Google lost interest in a lot of child safety stuff.

pclmulqdq
0 replies
3h1m

That must be when Google realized that child safety directly hurts its bottom line.

terio
0 replies
13m

Can you post the doc?

refulgentis
0 replies
1h6m

1 and 3. The quiet detente at Google is product won't be too ambitious if engineering doesn't go out of its way to do anything:

90% of the time product lays out a minimal rushed vision, engineering huffs and puffs that it might be impossible, then people work about 20-30 hours a week complaining that the designers didn't tell them exactly what to do and the teams they need to integrate with won't help, and you deliver 80-90% of the original minimal "vision" and slap eachother on the back.

And that was _before_: A) spent 18 months firing people, while some managers took advantage of that situation to punch down. B) they nuked the performance review system, 80% are exactly the same with their Significant Impact, another 10-15% have scarlet letters, and 5-10% get rewards.

Any deviation from that and someone perceives you as being on their turf and finds a way to punch down.

And good luck getting management to care, just like the real world, no one wants to get within 100 feet of trouble.

Then you're faced with the invitation to appeal to a VP, a coin flip where you have to guess at if they're going to back you, and even if they do, facing the fact you nuked your career anyway because you broke omerta.

ilrwbwrkhv
0 replies
7m

Google itself is abandonware at this point. All of their services have bugs every single day. UI feels unpolished. And God forbid you have to talk to support. Some dude in India who doesn't understand English responds through email and keeps repeating the same script.

renegat0x0
4 replies
3h23m

I was using the parental control, however I have stopped using it.

In the end it is surrogate of a parent. Either you care about your child and you know what it is doing, or not.

If you think that your child would be vunlerable to anything in the web, then most likely you should not give the phone to your kid.

If the kid is old enough to understand things, then it does not require software parental control, but a parent. A good parent does not need parental control in apps of their children.

Parental controls also disables ability to install apps from other sources and I prefer fdroid apps from play store apps.

The last thing is that it teaches that we are controlled by some software company, and 'kept safe from harm'. It gives that illusion. It trains that illusion. It enforces it.

JoeAltmaier
1 replies
3h20m

True, but maybe a little idealistic?

Every parent can use a little help. There's so much that your child sees and hears, you want to be there to help explain it to them when they have questions.

Hand them a device that shows anything happening anywhere in the world? Maybe a little help there, limiting what they can easily stumble upon, is a good thing.

renegat0x0
0 replies
2h29m

Rising a child is difficult. Children, as people, are different. My children do not require it. It is not idealistic therefore.

I do not say that everybody can now safely remove their safeguards.

riku_iki
0 replies
2h54m

If you think that your child would be vunlerable to anything in the web, then most likely you should not give the phone to your kid.

phone has many utilities I want kids to use: make calls, check mail, maps, weather etc.

The issue is that they are using it for secretly watching tiktok for example.

Angostura
0 replies
9m

On iOS, the ability to prevent (say) the use of social media after 10pm is very useful. What would you, as someone who "cares about your child" do instead?

AtlasBarfed
4 replies
4h49m

If Google care in the least for kids they would scrub all of those games that are predatory, introduce gambling addiction mechanics, use annoying and confusing in-game ads, and gateway to older even more addiction focused apps. Notice I didn't even mention all of the information hoovering.

And of course the Play store is desperate for you to provide a credit card at every single opportunity so you can maximize the potential of kids doing accidental buying.

It is a complete scam.

I honestly don't know how television got such strict laws and regulations on children's programming, when viewed in comparison to the complete wild west, that is the modern app store.

willsmith72
0 replies
4h18m

I honestly don't know how television got such strict laws and regulations on children's programming, when viewed in comparison to the complete wild west, that is the modern app store.

With time and pressure.

Right now you have a fun new technology which people are still infatuated with, bought by one of the biggest companies to ever exist, in a country which openly permits business-to-politician payments through lobbying.

The wild west won't look anything like it does 50 years from now

scarface_74
0 replies
3h16m

“Television” doesn’t have strict laws and restrictions.

Over the air broadcasts do. The broadcast spectrum is considered publicly owned and is leased to television operators.

I guess you could say the same about the cellular spectrum. But how deep do you want government regulation to go since Google operates over the internet? Do you really want the government controlling internet content “for the children”?

And if they regulate app stores, especially on Android, do they also regulate what you can distribute from your own website?

cmrdporcupine
0 replies
3h31m

Not sure who is downvoting you, but you're absolutely right.

Just like Meta/Instagram, they're playing lip-service to the concept, but not really taking action.

Frustratingly, out of all the platforms & BigCorps, Microsoft's parental controls and support for child accounts seems the best.

For many parents this might be no big deal. But there are genuinely children who've ventured into self-harm, eating disorder, etc. content on account of the wild-westness of the Internet combined with weakness of this crap. And it's absolutely maddening to see how pathetic they all (including Apple) are treating this.

AndrewDucker
0 replies
4h42m

The sheer fact that I can't differentiate between "Has ads, and you can pay to get rid of them" and "Has 15 different currencies that make the game no fun unless you pay a fortune" in the Play store is proof that Google don't want to promote good business practices.

TeMPOraL
2 replies
4h16m

Parental controls are a strange beast. In general, they stand zero chance against even mildly interested kid, unless you're going to lock them up in a basement to isolate them entirely from their peer group. Those controls work best as a soft limit - strong enough that going around them would be clear, unambiguous disobedience. After all, they're parental controls, not NSA-proof security. Making them technically bulletproof would arguably be worse for everyone.

tivert
0 replies
3h54m

Those controls work best as a soft limit - strong enough that going around them would be clear, unambiguous disobedience.

Which could very likely go undetected, therefore unpunished. It's not like it's a family-room computer that's easily monitored.

After all, they're parental controls, not NSA-proof security. Making them technically bulletproof would arguably be worse for everyone.

It sounds like they're about as bulletproof as as screen door. I would be much better to have them as strong as an locked exterior door, maybe not "NSA-proof" (the door is vulnerable to locksmiths and battering rams) but strong enough to keep a kid out.

philistine
0 replies
3h50m

I think you're describing the point of view of the phone makers. Parents I've interacted with are in a whole other world. If you limit YouTube, you're limiting YouTube. There should be no caveats.

shantnutiwari
0 replies
18m

Amazons Fire tablet allows you to block apps like Youtube with a password (or completely hide them), but I havent ever tried to "hack" them , so dont know how effective they are

codeulike
0 replies
3h37m

I don't think many people really use parental controls on Android or iOS. Its a feature thats there to make consumers feel safer, but anyone that tries to actually use it is going to quickly give up.

Small example: On iOS 'Screen Time' you can restrict websites to a whitelist, which seems useful. But so many things break if you do that - all kinds of login screens for different apps - and you dont get given clues to as to what urls need to be whitelisted to un-break things.

Sometimes with modern tech you're using a feature and you think "this is incredibly complicated and broken, there can't be many people actually using this" and I tend to get that feeling with parental controls.

cmrdporcupine
0 replies
3h34m

"It feels like no real kids are testing the parental controls"

Or... hear me out... they don't really want adequate controls to be put in place in the first place?

And, yeah, I have many many beefs to pick with Family Link.

Xeamek
0 replies
4h21m

It feels like no real kids are testing the parental controls

I feel the same can be said about accessibility service: Once you get the accessibility permission, you have FULL control over the user's device. They could just split those permissions and expose a more fine-grained control api, but they (I suspect) have some one, verry extreme use case in mind and design the service around it (like ie. phone user being completly blind and requiring the accessiblity app to be an interface for literally all interactions with the device).

Which means that whenever you want to use some feature of that api, you have to trust an app completely and give it a carte-blanche to do whatever it wants on your device.

Which ultimately leads to gigantic whole in platforms security, for no other reason then 'this is the way and scenarios we intend people to be using it, and we give no compromises for anyone who has any other usege in mind'

Scubabear68
0 replies
54m

I have yet to find a really good online electronic control system. Having worked with the Apple, Windows, and Sony systems, they all suck.

The Apple ones seem to have a hundred holes kids can break to extend screen time or download apps, and sometimes it takes awhile for a change to take effect. Windows was completely broken last time I checked on my son’s gaming machine. And Sony PlayStation - oh, so so painful.

So it isn’t just Android. It’s everyone.

andybak
31 replies
5h7m

A team that handles security vulnerability reports should never say "oh - that's another internal team. Go ask them...".

In fact almost any staff member inside an organisation that receives a plausible vulnerability report should ensure it reaches the right people. It's not something you should shrug off.

extheat
10 replies
5h0m

It’s not really a vulnerability in the sense that it leads to any sort of system compromise. It’s definitely a design flaw in whatever features they added to the OS, but not necessarily something that warrants a huge investigation.

andybak
8 replies
3h49m

I think anyone expecting these security-related features to work as expected would regard it as a vulnerability.

kllrnohj
4 replies
1h40m

Is parental lock really "security-related" ?

Like it's a frustrating response to this valid bug report, but it's not really a security risk here, either. You don't actually bypass the lock screen or anything.

andybak
3 replies
1h36m

I think it really is and could have serious safeguarding issues.

Also other features are effected like kiosk mode etc. The implications are unclear but could conceivably be quite serious in some scenarios.

kllrnohj
2 replies
1h31m

Also other features are effected like kiosk mode etc

Is it? That's not demonstrated nor claimed in the linked article.

I think it really is and could have serious safeguarding issues.

Elaborate. What's the security risk from your child using a browser after the parental control timeout expired? It's annoying that the automatic limits didn't fully happen, but data isn't compromised as a result, either.

semireg
0 replies
19m

We are worried about children being compromised. This is as much about data getting into their heads as it is about basic exfiltration.

ramses0
0 replies
1h0m

Browse the open internet (or internal network?!) from a McDonalds ordering kiosk?

No skin in the game, but this is very similar to the old Win95 "About... Help... $BROWSER" style bypasses.

dcow
2 replies
2h32m

There are also just normal bugs and known limitations and acceptable risks.

eli
1 replies
2h4m

So are nearly all security vulnerabilities.

Is bypassing the lock screen a security bug?

kllrnohj
0 replies
1h39m

The lock screen isn't bypassed in either of these.

tigerBL00D
0 replies
2h43m

If I read that correctly, in the second case someone can bypass the pinning feature to access your personal information via the default browser's active sessions. That would be a compromise if that's the case.

TeMPOraL
7 replies
4h35m

The "that's another internal team" reply was presumably more about bounty than vulnerability itself. Still, my contrarian take: support - whether external customers or internal stakeholders - is a game of hot potato: first person that fails to forward it to someone else will get burned.

It would be great if everyone was happy to drop whatever they're doing and lead resolution of customer's complaint, regardless of who the actual empowered/responsible person/team is. Alas, we live in the world where most people subscribe to Copenhagen Interpretation of Ethics. In this world, even forwarding a request to those responsible is dangerous. Anything more than that entangles you with the problem, meaning you'll be held responsible for it, no matter your actual connection to it.

We can call it "principal-agent problem", or just "survival in the world where requesters are hunting for anyone willing to engage with their requests".

(Source: I used to be the one willing to handle any internal request even tangentially related to my work, until my line manager told me to ask requesters for project ID or billing code before giving any help that requires more than 1 minute, because otherwise I'll end up doing none of the work we're actually being paid for.)

smallmancontrov
1 replies
4h17m

Yes, and the worst part is I don't think it's even a side effect of organizational structure because I've seen it in so many places. There is just a quirk of human psychology where "if you touch a problem it belongs to you now," and the result is a situation where everyone would be genuinely happy and eager to help but nobody (except the newbie) dares try because the consequences for trying are immediate and dire.

skybrian
0 replies
4m

This seems related to what I think of as the “jurisdictional hack.” Nobody can solve every problem, so you define a realm that’s your responsibility and anything outside it is someone else’s problem.

Keeping your jurisdiction small means you can do more within that jurisdiction, by ignoring even important problems that are outside it.

But the alternative is ineffective doomscrolling because all the world’s problems are yours.

joshspankit
1 replies
2h43m

support - whether external customers or internal stakeholders - is a game of hot potato

I’d like to shift this a little:

Support who’s primary metric is handle time is in a game of hot potato.

From a business perspective the managers and leaders always feel like there’s too many fires which inevitably leads to either pressure on front-lines to “go faster” and “stop doing unnecessary work” (aka “taking time away from the fires”) or some level of management that’s intentionally blocking higher-ups from seeing those fires so that they look like they are managing the department well (and in this case not only is there the same pressure on the front-lines, but there’s additional pressure about not reaching out to anyone except through that manager.

When the primary metric is handle time, the issues pile up, there’s never enough people to handle it, and the business slowly sinks as no one with a budget sees the “ounce of prevention [that can prevent a pound of cure]”.

However: If the metric is minimum number of departments an issue touches before it’s resolved it’s a whole different thing. Suddenly playing hot potato is a problem and “problem ownership” is praised. There are other metrics too that produce different support cultures (and sometimes different games), but the reason hot potato is so popular is that those other metrics all require top-level execs to be comfortable with spending now to save down the road.

skybrian
0 replies
11m

This seems difficult to resolve because staff time is limited and you can’t do everything. That’s why tasks need to be prioritized. But how?

Distributed prioritization seems like a problem; you can get priority inversion if you’re not careful.

some_random
0 replies
2h53m

You're totally right in the general case, but in the specific case of security vulnerabilities it makes sense for there to be an exception (even if the action taken is just to hot potato on your side).

asveikau
0 replies
1h15m

I feel like my experience with big cos is that the "that's another team" might go like this:

Parental controls is essentially maintenance mode and has 1 dev nominally responsible for it, maybe their workload is divided between that and a bunch of other stuff that they deem their "real" work. The way the component works means that bugs typically get assigned elsewhere in the system very far away from parental controls; you, the owner of Contacts, land a bug like "Your feature XXX has the following failure in parental controls mode." The team responsible is like ... "Why do I care about this? Why should I take a code change for this? Isn't that your problem?" Whoever is responsible for parental controls might not care, but if they do, they don't have political leverage over the owner of the Contacts app or whatever. Therefore, won't fix.

ajross
0 replies
3h41m

The "that's another internal team" reply was presumably more about bounty than vulnerability itself.

Yeah, that's my read. Basically the first line of support said "parental controls and screen pinning don't count as security boundaries", and the author is upset not because of an abstract argument about impact but because they want to get paid.

Should they be security boundaries? Honestly I'm mixed on this. First because the threat mode is totally different when the attacker is your teenager (i.e. who exactly is the harmed victim? The parent?).

But mostly because the whole idea behind bug bounties is to encourage disclosure of vulnerabilities that would otherwise be sold and deployed against the public at large. That is, the bugs have "value", and we're all better off if the purchase price is borne by the software developer than the criminal. There's no market for parental controls bypasses in that sense.

Xeamek
6 replies
4h32m

They said 'go ask them' a out why they decided to close the issue (which also implies that someone went over this already), not 'go ask them because we simply don't care to look', as your comment seem to imply...

andybak
5 replies
3h49m

The result was the same. Someone was reporting a bad thing. The bad thing never got fixed.

Xeamek
4 replies
3h42m

This is too reductive.

The 'we analyzed the issue and decided it won't be fix' Is NOT the same as 'we don't cate about this, go talk to some other team and maybe they'll fix it'.

Deciding something is not a bug is not the same as just ignoring the bug and not fixing it

andybak
3 replies
2h52m

In this case it is - because someone outside the org - who has no responsibility for your company fixing it's stuff - is being asked to make sure the issue isn't lost.

Google lost out in this case - because an employee pushed responsibility onto an outside party.

dcow
2 replies
2h31m

What did they lose out on?

dullcrisp
0 replies
1h46m

And also this crisp new $50 bill I have in my pocket, if that’s all they care about.

andybak
0 replies
1h52m

1. They are still shipping a product with a fairly serious flaw because the report didn't get to the right people

2. The flaw was publicly exposed which cause reputational damage.

qingcharles
1 replies
1h59m

Google is the king of "not my department." "No, I don't have contact with any other department within Google." "No, I don't have the email address of anyone on any other team in Google." WTF, Google?

skirmish
0 replies
46m

It's most likely because when you forward any internal information to any outsiders, you will get a stern dressing-down by your manager.

xuhu
0 replies
4h58m

They have these exact phrases in their best practices list, but with no instead of any, and always instead of never.

irrational
0 replies
51m

How do you even find the right people? I have no idea how I’d do that at my company.

gear54rus
0 replies
5h1m

I assume that's the reason he just made a writeup about it instead.

curt15
4 replies
5h3m

I read that Google Play Services can even grant itself new permissions[1]. How does that work? Does it have root?

[1]https://developers.google.com/android/guides/permissions

ranger_danger
0 replies
3h44m

this is called a back door, not to mention it can already install (and uninstall!) apps without your permission. and yes they have already gotten in trouble for it in the past, but not enough happened to them.

matan-h
0 replies
4h52m

yes. (It's not really the 'root' user, but it trusts blindly and can do things such as installing apps without user confirmation.). In my other blog post about gms, the JS bridges would be running in the privileged scope.

You agreed to this in Google's privacy policy when installing Android.

ignoramous
0 replies
5h2m

Does it have root?

Not really, but it is a privileged System app, which pretty much means it can do a factory load of things that installed apps cannot without root.

Xeamek
0 replies
4h41m

Systems (or vendor) apps also have to predefine permissions in their manifest, so not every system app can do everything. But the list of permissions accessible by those apps is so broad they can effectively have root, as long as you define enough of them as developer

Xeamek
4 replies
4h37m

Eh, calling an embedded web-view a 'screet google browser' smells a bit clickbait'ish.

In situations where it bypasses things like parental control its fair to bring it up as an issue, but it's not exactly a 'vulnerability' in the way a vulnerability is commonly understood

mrweasel
2 replies
3h45m

Perhaps not, unless there is a security vulnerability in the web-view. I think it shows that there's a problem with the usage, and implementation of web-view and it's permissions.

I can see why Google wouldn't want to apply the permissions and parental contracts from the browser to the web-view, that would break a bunch of stuff and it would be hard to explain to the user that a link in the Contacts app doesn't work, because Chrome is locked down. Others would argue that is exactly what they expect to happen.

In this case I fail to see why Contacts embeds its own webview, rather than just triggering the browser to open the link. Not every app needs a web-view.

kllrnohj
0 replies
1h33m

Android's WebView is Chrome, process sandboxing & all. Unless the Contacts app injected a JS handler, which we have no evidence of, then it's no less secure than Chrome is.

hhh
0 replies
3h23m

This is how the current ps5 jailbreak works iirc

make3
0 replies
3h22m

the pinning thing looks like other applications could assume it's safe when it's not actually, which is a normal recipe for a vulnerability. worth investigating at least

prymitive
1 replies
1h56m

Reminds me of this classic gem: https://imgur.com/BULPmCI?r

k8svet
0 replies
1h53m

Exactly what I thought of. I've used a technique similar to the OP for bypassing FRP on a Pixel 2 that I bought used on Craigslist. Also provoked a similar thought of how my entire life was set in motion staring at this screen for hours as a bored little kid, finally breaking in and experiencing my first "hit".

zelon88
0 replies
25m

Is this the same Google that pours millions of dollars into its Project Zero securi-tainment blog where they specifically use hamfisted disclosure policies to discredit competing products?

Oh, well color me shocked!

thiago_fm
0 replies
2h33m

I have a faint memory of having seen an HN article about this hidden browser before.

In any case, the Google response you've seen shows how the company is messed up. Google became Microsoft in the 90s.

jwithington
0 replies
9m

what's the consequence of this? kids can bypass parental controls? just making sure i understand

dr_kiszonka
0 replies
16m

In case anyone is interested in an earlier discussion from 2023 (312 comments): https://news.ycombinator.com/item?id=36478206

disintegore
0 replies
4h19m

I expected Google Ultron

dartharva
0 replies
2h21m

I remember using something similar to bypass the lock of an old phone my collegue had forgotten the password of in my teens. It involved downloading an apk from some shady site with this "in-built browser" that did something to unlock the phone, then factory-resetting it.

dang
0 replies
1h9m

Related. Others?

Google has a secret browser hidden inside the settings - https://news.ycombinator.com/item?id=36478206 - June 2023 (312 comments)

cynicalsecurity
0 replies
6m

This is some Windows 98 login screen bypass hack trick.

https://i.imgur.com/BULPmCI.gif

Honestly, I would have never expected Google to become Microsoft Windows 98 level bad at designing their systems.