Anti-cheat browser extension fails web security exam

John Leyden December 22, 2021 at 15:24 UTC

Updated: December 22, 2021 at 17:37 UTC

XSS flaw in Proctorio is resolved

A web security flaw in an anti-cheat browser extension created a way to hijack the computers of college students and other users before they were recently patched.

The Proctorio Google Chrome browser extension was vulnerable to a cross-site scripting (XSS) flaw, security researchers from Sector 7, the research arm of Dutch security consultancy Computest, have found.

get angry

Proctorio is a form of monitoring software, a technology that prevailed during the pandemic to guard against cheating in online testing.

The technology is widely used in the Netherlands, much to the chagrin of local student organizations who have unsuccessfully opposed the use of the technology as a privacy risk.

Concerns have arisen because the software can read and modify data on websites that users visit, as well as take screenshots and monitor webcam images.

Learn about the latest data privacy news

Controversy over the use of the technology prompted Sector7 researchers to examine the software under a microscope – an examination that led to the discovery of an easily exploited universal XSS vulnerability (uXSS).

“This [vulnerability] could be used by a malicious page to access data from any site the user is currently logged in to, for example, read all of your emails, ”Sector7 said The daily sip.

“And it could be used to access features like the webcam if the user has given permission for a website to use it.”

Implementation errors

Like a technical writing of the vulnerability by Sector7 explains, the flaw is due to errors in the implementation of an “open calculator” function by the Proctorio extension. The researchers explain:

Since the calculator is added to the DOM of the page activating Proctorio, JavaScript on the page can automatically enter an expression for the calculator and then trigger the evaluation.

This allows the web page to execute code inside the content script. From the context of the content script, the page can then send messages to the background page which are treated as messages from the content script. Using a combination of messages, we discovered that we could trigger uXSS.

Sector7 said The daily sip: “[The] root cause [of the vulnerability] evaluated unreliable JavaScript from a web page in the extension, leading to universal cross-site scripting.

Fortunately, the serious security bug has since been fixed by Proctorio. And, because Chrome browser extensions update automatically, users don’t need to update their software manually to be protected.

Sector7 reported the issue to Proctorio in June, receiving assurances that it was resolved approximately a week later. The fix was confirmed by Sector7 in August, well before it released its technical findings last week.

Sector7 / Computest reviewed the Proctorio software at the request of local media RTL Nieuws, who then wrote a report (English translation via Google) on search.

The daily sip asked Proctorio to comment on Sector7 research, but we have yet to receive a substantive response.

YOU MAY ALSO LIKE Safe Browsing: Google fixes Chrome site isolation bypass bug

Previous Barnali Mukherjee, Senior Consultant, National Electronic Governance Division, Ministry of Electronics and Information Technology, India
Next Educators seek to use metaverse platforms to bring serendipity to distance education