Introducing the Skioviox exploit

Getting an unrestricted browser on ChromeOS 115
Written by Bypassi; see full credits at the end

How many users?

Hello! Let's talk about ChromeOS and kiosk apps.

When you turn on a school Chromebook, you normally see a login screen showing one or more names, each accompanied by a password prompt:

If you've never seen a password prompt like this on your school Chromebook before, then this exploit won't work for you. Seriously. Sorry.

So, how many users are on the Chromebook above? Looks like one, right?

Actually, it's impossible to know. The true number of users depends on what happens when you click the Apps button seen in the bottom left of that image.

What's a kiosk app?

I think chromeos.dev says it best:

Kiosk modeā  is a specialized way of running ChromeOS that focuses on just one application at a time. Set by an administrator, kiosk applications are locked in full screen and run without user login to the device.

These are often used in enterprise environments for things like state tests. The point is, it's just a single fullscreened app window.

But one thing that's really important to understand about kiosk apps is that each kiosk app on the Chromebook is really a user. Each has its own:

So if a Chromebook has 1 real user account and 6 kiosk apps, it's technically storing 7 users.

Now, this is obviously some insane overkill, because kiosk apps would never have to use 90% of these features. But ChromeOS is notoriously consistent with its design; even the first "connect to network" screen you see is written in HTML, JS, and CSS.

In fact, the only things seperating kiosk apps from being a full unblocked browser is the fact that a certain app is launched and full-screened. If that doesn't sound very reassuring to you, that's because it isn't.

The old kiosk exploit

The year is 2020. Google is releasing ChromeOS 86, which happens to patch a certain exploit. At this time, only a dozen people or so are aware that this exploit exists.

The exploit was, in short, a race condition that allowed a user to open an unrestricted window instead of a kiosk app. The issue stemmed from two things: the kiosk network error page and ChromeVox.

ChromeVox is the text-to-speech (Spoken Feedback) accessibility extension for ChromeOS. It can be turned on by pressing ctrl+alt+z. It can also be accessed in Kiosk apps. Some ChromeVox shortcuts open help pages.

The issue was that, if timed correctly, these help pages could be opened while in the middle of a navigation from the kiosk network error page, leading to an unblocked browser:

Why was this exploit so good? Well, ChromeOS policies are split into two categories: device and user. And since, technically, no administrator-controlled account was signed into Chrome, user policies did not apply. So:

There was no other exploit capable of bypassing the URLBlockList policy. But the first kiosk exploit didn't work perfectly every time, and it could only be done once per powerwash. So, sadly, it wasn't optimal.

There is so much more history to this exploit, and I can't do justice to it here. If you want to see more, check out my friend Cor's instructions on using the exploit.

Sadly, with the barrage of SH1MMER patches, you can't downgrade to the old versions from 2020 anymore. So that category of exploit is patched and gone.

Blunder!

Well, the exploit was patched for some time. But then Google made a mistake, and the holes lined up.

So, spoiler alert, in case you haven't figured out already: there's another kiosk exploit. And this new kiosk exploit--named Skiovox--stems from two things: the kiosk network error page and ChromeVox.

Wait a second, isn't this the same thing? Yes, it basically is. And it's even more hilarious now.

One broken button and one forgotten key

The real cause of this issue is a single button: the "Back" button on the current kiosk network error page, which has been broken for quite some time now.

This button should take the user back to the regular sign-in screen. But it doesn't.

There's a little-known and rarely-used feature on Chromebooks called secondary accounts, also known as multiple sign-in. In short, two ChromeOS accounts can be signed in at the same time. This differs greatly from having two Google accounts signed into a single ChromeOS account.

ChromeOS accounts each have their own browsing profile and policies. Google accounts are only used to sign into Google services like Play Store and YouTube.

Back to kiosk. When you click the back button from the network error page, you are shown a slightly modified version of the regular log-in screen. Specifically, there isn't an "Apps" button in the bottom left, and there's no toolbar in the bottom right.

What's happening here is that your school account is being added as a secondary account. Recall that kiosk apps are actually users--this means that your kiosk app is the primary account. You are signed into both a kiosk app profile and your school profile at the same time.

Now, most administrators prevent school accounts from being used as secondary accounts. A dialog shows up, blocking the whole screen and forcing the user to sign out. Well, unless they press the escape key, which bypasses the dialog completely.

So now you are in a weird, kinda-kiosk state. For example, keyboard shortcuts like ctrl+t are still restricted the same way they are in a kiosk app. Also, all smoothing animations seem to be removed, along with the fullscreen controls for windows.

But on the surface, this just seems like an uncanny and broken version of your school account, interesting but not exploitable.

The return of ChromeVox

But, in ChromeOS version 114, Google made a big mistake.

Remember ChromeVox, the text-to-speech feature? This new mistake allows ChromeVox help windows to once again be loaded while in a kiosk app. But they're loaded in the background, invisibly, which would be useless if not for the back button issue.

This chain of issues can be turned into an exploit:

Before I get to any specific instructions, I want to mention the pitfalls of this exploit:

In the next sections, I will also introduce a solution to these issues.

The instructions

Step 1: Sign out of your Chromebook. Again, it should look like this:

And again, if it doesn't, you can't do this exploit.

Step 2: Click the time and click turn off your Wi-Fi.

Step 3: Click the "Apps" button in the bottom left and enter a kiosk app. Kiosk apps that are offline enabled won't work, but very few apps have this capability. It's very important that you try to use the same kiosk app every time you do this exploit. Remember, every kiosk app is a user, and you want your stuff to be saved.

Step 4: Wait until you get to the loading screen stage which says "waiting for network connection". You can also just wait for the error page just to be sure:

Step 5: Press ctrl+alt+z. You should get a ringing noise and a creepy voice saying something like "ChromeVox spoken feedback is ready". If nothing happens and this is your first time trying the exploit, too bad. Give up.

Step 6: Hold down the search key while pressing the following keys in order: o and t. A screen like this should now pop up:

Step 7: Click "Resources", then click any one of the three links that show up.

Step 8: Click "Exit Tutorial", then turn off ChromeVox by pressing ctrl+alt+z again.

Step 9: This following step has to be done within around 6 seconds, although it depends on the speed of your Chromebook:

If your Chromebook connects to Wi-Fi before you type in your password, you will get kicked back to the kiosk app before your secondary account is added, which is bad.

If you're a slow typer, or just have a long password, check the alternative method for a more reliable way to trigger the exploit.

Show alternate method

Step 10: If a dialog shows up saying that all users must sign out, just press the escape key to bypass it.

You should now have an unblocked browser open, with no extensions installed. The root of this exploit was found by @akabutnice on Discord, who reached out to me before releasing it, which is awesome. I decided to do some extra work with it, and I highly recommend that anyone planning on using the exploit reads the next section.

The Skiovox Helper Extension

So even once you are in the unblocked browser, there are some issues. As I mentioned earlier, these issues are:

So I put together a team to fix these issues. We decided to make a Chrome extension which the user could "sideload" with unpacked installation. The extension fixes these issues:

Most importantly, the extension automatically creates an unblocked window by itself, so ChromeVox (steps 5-8) is no longer necessary to trigger the exploit.

The extension also provides additional conveniences:

Installing the helper extension