https://matan-h.com/google-has-a-secret-browser-hidden-inside-the-settings/ Skip to content Menu Matan-h * Home * Python Editor * Contact * About Matan-h Google has a secret browser hidden inside the settings Posted on June 26, 2023June 26, 2023 I recently discovered a secret browser located inside the "Manage my account" popup that Android has in various apps (quite important apps, such as Settings, and all Google suite apps). The browser even bypasses parental control! My site open inside Settings app in my Android phone How to get there? Getting there.... takes some work: 1. Go into Settings-Google (or any app that lets you choose your account) and click on "Manage my account". 2. Then go to the "Security" tab. In there, scroll down until you find "Password Manager". Click on it. 3. Click on the 'Settings' icon in the top-right. 4. Scroll down until "Set up on-device encryption" appears. Click on it, then click on "Learn more about on-device encryption". 5. Now you are in the browser. But you want to go to Google.com! So click on the hamburger menu, then click "Privacy Policy". 6. Tap the nine dots at the top, wait 5 seconds (it takes some time to load) and click "Search" (If you don't find the search icon, you can also scroll down until 'Google' and click on that) 7. Logout from your Google account. 8. You got the secret browser ! You can go anywhere. You can also play YouTube videos (with ads, unfortunately), and all of this is in the settings app (or whatever app you choose) ! [image-1]LiveOverflow in Settings app Browser overview: Pros: It's a pretty private browser : it has no history and it auto logs out of all Google accounts that were logged-in, at the end of the session. Cons: the most obvious one is the back key, which means every time you press the back key, instead of going back one address in the history, it goes back into the password manage settings, but I guess it could be considered an advantage - as an emergency key for privacy. The same goes for no address bar. (But look at the glass half full: it still doesn't advertise itself on the installation page of other browsers). But there are another things that prevent this browser from being a secure browser: The dangerous functions. The dangerous functions: As I was using this browser, I discovered a strange thing. A weird JavaScript object named mm. To see this, go to eruda, (just because it's the best mobile JavaScript console I know) and type mm Screenshot of eruda expend the `mm` objectScreenshot of eruda expend the mm object As you see, there are three functions: Let's start with closeView() function, because it's the only clear function: it just closes your browser, as would happen if you press the back key. Not a standard JavaScript function, but nothing to worry about. (you can try it right there by typing into eruda 'mm.closeView()') Then you have two methods which I don't know what they do, but they sound scary. As this is a secret-browser of the 'on-device encryption' feature, I can guess, they are both used to set your local encryption keys. So it looks like a malicious website can put their keys there, and try to make you pay for them! I think this is the time to tell you that I already reported this to Google, and they say this is not a security vulnerability (probably because this secret browser is not very popular), and that the parental control bypass is the "Intended Behavior" [image-4]Google's answer to my report If you enjoy using it, please let me know in the comments what you did with it. Hope you enjoy your (new?) browser that you didn't know you had ! 3 thoughts on "Google has a secret browser hidden inside the settings " 1. [c26] dwb says: June 26, 2023 at 12:52 pm Don't forget to follow up with them for a bug bounty award! Reply 2. [3f1] consultant says: June 26, 2023 at 1:33 pm gmail cannot be accessed. the proxy is still kicking in to block gmail. yes all others function except email access. Reply 3. [2f5] anon says: June 26, 2023 at 2:21 pm Isn't it just the system webview? It's baked into android, and you can change the default one that comes with your phone(you can download webview one frmo the playstore) Reply Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment *[ ] Name * [ ] Email * [ ] Website [ ] [ ] Save my name, email, and website in this browser for the next time I comment. [Post Comment] Search [ ]Search Recent Posts * Google has a secret browser hidden inside the settings * List of online converter tools * My Windows shell * My Linux .config files * Snippets program Recent Comments 1. anon on Google has a secret browser hidden inside the settings 2. consultant on Google has a secret browser hidden inside the settings 3. dwb on Google has a secret browser hidden inside the settings 4. see this page on ddebug Archives * June 2023 * December 2022 * September 2022 * July 2022 * November 2021 * October 2021 Categories * cyber * dev-program * dev-tools * linux Buy Me a Coffee (c)2023 Matan-h | WordPress Theme by Superb WordPress Themes