Network-adjacent attackers can intercept or modify sensitive student filtering rules due to inconsistent TLS implementation and broken cryptographic primitives in the Securly Chrome Extension version 3.0.7.
Broken Cryptography and Insecure Data Transmission
Securly's implementation of security controls is dangerously inconsistent. While some endpoints correctly use HTTPS for Internet Watch Foundation (IWF) and Children's Internet Protection Act (CIPA) data, the extension downloads critical JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API (CVE-2026-8874).
Cryptographic weaknesses further undermine the extension's ability to protect data. The extension contains hardcoded, plaintext AES passphrases within securly.min.js used to decrypt intervention site data (CVE-2026-8876). Additionally, the extension employs EVP_BytesToKey key derivation using MD5 with only a single iteration for AES encryption (CVE-2026-8881). Because MD5 has been broken since 2004 and a single iteration provides no key stretching, the protected data is highly vulnerable to efficient offline cracking.
Content Manipulation and Denial of Service Paths
Attackers can leverage these flaws to manipulate the browsing experience of student users. An on-path attacker can inject specific patterns into config.json downloads, which the extension then compiles into JavaScript regular expressions via new RegExp() without complexity validation. This allows for catastrophic backtracking, resulting in a denial of service (DoS) across all browsing sessions (CVE-2026-8888).
Beyond pattern injection, the extension uses a method to bypass Chrome Web Store static security reviews by dynamically registering content13.min.js as a content script at runtime via chrome.scripting.registerContentScripts() (CVE-2026-8879). This undeclared script runs on all URLs and can immediately hide all page content, creating a full-page overlay that only clears once a service worker confirms filtering compliance. If Securly's servers become unreachable, student web pages remain indefinitely hidden.
Publicly accessible endpoints also expose SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, allowing attackers to easily recover original values and access protected data (CVE-2026-8878). These vulnerabilities collectively enable the reconstruction and manipulation of the extension's filtering logic, potentially exposing students to prohibited content or blocking legitimate educational resources.
Until a patch is released, administrators should restrict the extension's use on untrusted networks and deploy school-managed VPNs to mitigate exposure.
Source: VU#595768: Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities
Domain: kb.cert.org
Comments load interactively on the live page.