{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/595768#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nVersion 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow unauthenticated access to protected resources. An attacker could exploit these weakness to steal configuration information, induce a Denial of Service (DoS), or modify content blocking rules for student users. \r\n\r\n### Description\r\nThe Securly Chrome Extension is a browser add-on commonly used in K–12 school-managed Chromebooks to enforce internet safety policies, filter or block websites, and provide activity monitoring for students. It is an element of the Securly classroom management platform, which helps schools comply with web filtering requirements and safely manage student online access. \r\n\r\n**CVE-2026-8874**\r\nVersion 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch Internet Watch Foundation (IWF) and Children's Internet Protection Act (CIPA) data over HTTPS, demonstrating an inconsistent implementation of TLS.\r\n\r\n**CVE-2026-8876**\r\nThe Securly Chrome Extension contains hardcoded, plaintext AES passphrases in `securly.min.js`. These keys decrypt crisis alert keyword data and intervention site data.\r\n\r\n**CVE-2026-8878**\r\nThe Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.\r\n\r\n**CVE-2026-8879**\r\nThe Securly Chrome Extension dynamically registers `content13.min.js` as a content script via `chrome.scripting.registerContentScripts()` at runtime. This script is NOT declared in `manifest.json` and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden.\r\n\r\n**CVE-2026-8881**\r\nThe Securly Chrome Extension uses `EVP_BytesToKey` key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching. This weak derivation method significantly reduces the effective security of the encryption, making the protected data vulnerable to efficient offline cracking.\r\n\r\n**CVE-2026-8888**\r\nThe Securly Chrome Extension downloads `config.json` over HTTP and compiles server-provided patterns as JavaScript regular expressions via new `RegExp()` without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.\r\n\r\n**CVE-2026-8889**\r\nThe Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).\r\n\r\n### Impact\r\nThese vulnerabilities collectively enable multiple attack paths and threaten the security and privacy of student users, for which the extension may be academically mandatory. The HTTP configuration downloads (CVE‑2026‑8874, CVE‑2026‑8888) and weak cryptographic primitives (CVE‑2026‑8876, CVE‑2026‑8881, CVE‑2026‑8889) allow a network‑adjacent attacker to intercept, modify, or decrypt data related to keyword filtering. The presence of unauthenticated, publicly accessible endpoints with trivially reversible obfuscation (CVE‑2026‑8878) further exposes internal keyword lists, blocklists, and rule definitions. These weaknesses enable the reconstruction and manipulation of the extension’s filtering logic. For student users, this could result in exposure to content that the filtering system is intended to block, or the inappropriate blocking of legitimate educational resources. Additionally, the undeclared, dynamically‑registered content script (CVE‑2026‑8879) can be abused to fully obscure web pages, leading to DoS conditions for end users. \r\n\r\n### Solution\r\nUnfortunately, Securly could not be reached for coordination of these vulnerabilities. Until a patch is available, administrators can lower their potential exposure by restricting usage of the extension on untrusted or public networks, installing school-managed VPNs on the underlying devices, and monitoring for unexpected or abnormal filtering behavior. \r\n\r\n### Acknowledgements\r\nThanks to the reporter Santh for discovering and researching these vulnerabilities. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/595768"}],"title":"Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities","tracking":{"current_release_date":"2026-06-03T17:58:03+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.42"}},"id":"VU#595768","initial_release_date":"2026-06-03 17:58:03.392045+00:00","revision_history":[{"date":"2026-06-03T17:58:03+00:00","number":"1.20260603175803.1","summary":"Released on 2026-06-03T17:58:03+00:00"}],"status":"final","version":"1.20260603175803.1"}},"vulnerabilities":[{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data."}],"cve":"CVE-2026-8876","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]},{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS."}],"cve":"CVE-2026-8874","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]},{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes)."}],"cve":"CVE-2026-8889","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]},{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing."}],"cve":"CVE-2026-8888","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]},{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data."}],"cve":"CVE-2026-8878","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]},{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching."}],"cve":"CVE-2026-8881","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]},{"title":"Version 3.","notes":[{"category":"summary","text":"Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden."}],"cve":"CVE-2026-8879","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#595768"}]}],"product_tree":{"branches":[]}}