You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is for educational purposes only, use only on forms that you own
How does this work?
So, you want to know how the genie does his tricks, eh? Well, I'll tell you.
Google is dumb
They forgor to add any checks to make sure locked mode is actually enabled 💀
All that happens when you open a locked Google Form is that it submits a form via POST request that responds with the test (which would usually be locked, but we skipped the part where it tells Chrome to lock itself)
The token sent with the POST request is easily scraped from the form login page
What potential is there for issues by using this?
Every time you make the POST request after the first time, Google emails the owner of the form
The form object on the page gets deleted when the "visibilitychanged" event is fired
2a. The "visibilitychanged" event is only fired by complete obfuscation, not partial or loss of focus.
You're screwed if you don't follow the directions to the T
