ExtHang3r "kill" extensions

[Lior Agami]

I am looking for help with dealing with issue of exploit that removes all the forced extensions installed on chromebooks.

I have a bunch of users who recently found this exploit:

https://github.com/Blobby-Boi/ExtHang3r

ExtHang3r is an exploit that allows ChromeOS users to kill managed extensions after the LTMEAT patch. It remains unpatched in all new ChromeOS versions as of January 2025.

I blocked the users from being able to download anything, or even access github but those who have the code on their device could save it as .txt file and run it as .html and use the exploit.

Please assist me with finding a solution for this matter!

[woxxom]

Block the URL from which the bookmark downloads the exploit:

https://raw.githubusercontent.com/Blobby-Boi/ExtHang3r/refs/heads/main/index.html

Of course it can be circumvented by making a bookmarklet that contains the entire exploit.

Another workaround is to repackage the extensions to change their ids and install them from a local server, but that's somewhat complicated, requires effort to maintain them updated, and some extensions theoretically may break if they use a hardcoded id instead of chrome.runtime.getURL().