Hello, if you've used my old tutorial for these old devices, you've probably found that it's broken for 4.4 by now. After some work, I think I've managed to build a new workaround that works on 4.4. It's a long, annoying process, but it's possible after I managed to reverse-engineer how the sign-in URLs for
https://accounts.google.com/o/android/auth and https://accounts.google.com/ServiceLogin?nojavascript=1 work, and then build something that combines the two. I then managed to get an HTML editor running to allow me to go wherever I want, which allows us to go to the custom URL. Since the URL is very long (I just wanted something that worked), I've shortened it with TinyURL, which works even on ancient browsers.
(if this link doesn't work when clicked, copy this link and use it in-place)
I've also published a video tutorial here: https://mega.nz/file/dJ5i1AxK#roXPe_3SzTQMpaEEw_jIXsjQMk6m3zd3YKDg9astJ-8
If you prefer text tutorials, here are the step-by-step instructions:
Note: Google seems to be enforcing its anti-bot measures on Google Images as well now. If you are unable to search the required URL in the Legacy Method, please skip to Method 2.
-
Go to the account section as normal and select Google.
-
Click "Existing."
-
Press the Menu key (if your device has one) or the 3 dots on the top right, and then click "Browser sign-in".
-
If you see the Google login page, click "Privacy". If you get a 404 error, click the Google logo and skip to step 6.
-
Scroll all the way down the Privacy page and click the blue "Google" button.
-
You'll be on the homepage. Click "Images" (normal search is broken because of anti-bot measures).
-
Search exactly, with quotes, verbatim:
"http://htmledit.squarefree.com" -
Scroll down until you see an entry called "Pwning OWASP Juice Shop". It has an image with some code at the bottom (reference the video if you get stuck here).
-
Click the entry, then click the button with the Material globe inside.
-
You'll be on a page called "Challenge solutions". Scroll all the way down to "Change the name of a user by performing Cross-Site Request Forgery from another origin."
-
Click the http://htmledit.squarefree.com link.
-
You'll arrive at the HTML editor. Delete everything inside and type the following:
<a href="https://tinyurl.com/2s49y9p3" target="_parent">Click me!</a> -
You'll see a "Click me!" button appear at the bottom. Click it.
-
Log in as if nothing had ever happened. 2FA works too!
Before proceeding, please install the DigiCert Global Root G2 certificate below. Without this, you'll probably be unable to open DuckDuckGo outside of Android AVDs: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
- Go to the account section as normal and select Google.
- Click "Existing."
- Type in 123456@students.lrsd.org with a random password (it doesn't matter).
- Press Next (the |> icon). You will get an error telling you to sign in online. This is normal.
- You'll be redirected to a ClassLink page. (If you've attended an American K-12 school recently, this might look familiar).
- We won't be using this. Scroll down and click "Browser Check".
- Scroll down again, and click the fourth black dot under "Contact". You should now be on their YouTube page.
- Click the search button.
- Type "DuckDuckGo".
- Go to their official channel: "duckduckgo2597".
- Click the duckduckgo.com hyperlink.
- Jump back up to the Legacy Method and start at Step 7. Proceed as normal from there. Do not switch to images as this is unnecessary.
This may or may not work on Android 4.0. If it doesn't, let me know. I just posted this since 4.4 seems to be the troublesome one.
IT DOES NOT WORK