WEDNESDAY, NOVEMBER 25TH, 2020

Comments bombard Schoology’s homepage, none of them explicitly authorized through Schoology. A chrome extension made by junior Lesha Seletskiy enabled this, allowing him to void commenting restrictions and, subsequently, comment on one of Librarian Sima Thomas’ posts on Sept. 5.

Seletskiy said he did this by creating a Chrome extension that uses a snippet of code to allow users to comment on posts that would otherwise not be commentable.

“I was like, what if I just package this snippet of code that was before not user-accessible into a Chrome extension, so that’s what I did,” Seletskiy said. “It took like two minutes, and then I published it.”

The extension, named “4,500 Year Old Yeast” on the Chrome Web Store, advises users to press the command key and right-click on a Schoology post in order to comment. Command-clicking on a Schoology post then leads users to a fragmented page where they can add a comment. Seletskiy said his extension directs users to a page that was before inaccessible.

“(Schoology) just created a (user interface) for comments, but they just didn’t create a user interface for you to get there,” Seletskiy said. “So what it does is it just lets you get there and then there’s a disabled button (for commenting). All you have to do is just remove the disabled attribute on the button.”

Seletskiy said he was not the original creator of the code. A Gunn High School student was who Seletskiy claims to go by the nickname “Sheep.” According to Seletiskiy, all he did was package Sheep’s code into something more user-friendly.

According to Seletskiy, this extension was only possible due to a deficiency in Schoology’s coding framework which allowed for hacks. Seletskiy also said that, hypothetically, these holes could allow for other, more detrimental hacks that could jeopardize more than a person’s commenting abilities.

“When you install an extension, it can read and write all data if you grant it the right permissions,” Seletskiy said. “What that means is that I could execute any piece of JavaScript on your browser . . . so I can track your browser history while you have the Chrome extension installed. I can decide to read your grades or whatever and you give me the power that would allow me to do this but you don’t agree to it.”

One example of an allegedly malicious extension is Stylish which grants users the ability to customize their browsers with themes and colors.

Stylish, however, was and is still suspected to be a covert surveillance tool with augmented spyware, recording each user’s data that could, theoretically, tie them to their real-life identities. Stylish defended these actions per their privacy policy as it states they collect only non-personal data, but Security Software Engineer Robert Heaton said on his blog that such justification is a “solution in search of a flimsy justification.”

Seletskiy said malicious extensions are an example of everything his extension is not or never was made to be.

“I don’t steal people’s browser history or get their grades and schedules or other nefarious things,” Seletskiy said. “I just made this extension because I was bored. I never expected more than one person to ever use it.”

Junior Teg Singh, one of the extension’s users, said he used the extension for comedic purposes, commenting on posts that were viewable to all Paly students.

“I used it to copy and paste the entire Shrek screenplay onto the Schoology homepage,” Singh said. “A lot of freshmen then began to recognize me as the Shrek Kid, and a lot of people just knew me as the kid who copied and pasted the entire Shrek screenplay (onto Schoology).”

Singh’s comment was deleted minutes after he posted it. Singh claims that most students thought Thomas deleted the comments as Thomas’ posts were the primary recipient of most unsanctioned comments. Thomas, however, claims that she was unaware of an unsanctioned commenting page.

“In hindsight, it probably caused some inconvenience to people who actually needed to use Schoology for academic purposes, but it was fun while it lasted,” Singh said.

Computer science teacher Christopher Bell reprimands these unsanctioned comments.

“The intention of a person who posts in a forum where (their) comments are disabled is that their post will not be commented on,” Bell said. “If people really want to comment on all school announcements, there are better and more meaningful ways to have your voices heard. . . I would challenge them to do something more productive with their time and ingenuity.”

Bell added that, because of technology, the intentions of these comments often remain unclear, and may become misconstrued.

“There are some deeper issues with respect to free speech, anonymity, due process, and how technology magnifies and distorts the communications that provide the substrate of civilized society,” Bell said.

One Response

Leave a Reply

Your email address will not be published.