A web security vulnerability in an anti-cheating browser extension developed a way to sneak into the machines of college students as well as other users before they could be fixed.
Security researchers at Sector 7, the research section of Dutch security firm Computest, identified a cross-site scripting (XSS) bug in the Proctorio Google Chrome browser plugin. Proctorio is a type of proctoring software, which has come into its own during the pandemic to prevent cheating throughout online assessments.
The technology has been widely employed in the Netherlands, much to the ire of local student organizations that have unsuccessfully challenged its use as a privacy danger. Concerns were raised because the program may read and update data on websites visited by users, as well as take screenshots and monitor webcam footage.
“This [vulnerability] could be used by a malicious page to access data on any site where the user is currently logged in, for example, read all your email,” Sector7 told The Daily Swig.
“And it could be used to access features like the webcam if the user has granted any website permission to use it.”
According to a professional write-up of the flaw by Sector7, the problem came through errors in the Proctorio extension's implementation of an 'open calculator' functionality. Since the calculator is attached to the DOM of the page activating Proctorio, JavaScript on the page can immediately enter an expression for the calculator and afterward activate the evaluation, according to the researchers.
This enables the website to run code within the content script. The page can then send messages to the background website from the scope of the content script, which is regarded as messages from the content script. Researchers discovered that they could trigger uXSS using a mixture of messages.
Sector7 told The Daily Swig: “[The] root cause [of the vulnerability] was evaluating untrusted JavaScript originating from a webpage in the extension, leading to universal cross-site scripting.”
Nevertheless, Proctorio has finally corrected the critical security flaw. As Chrome browser extensions are updated automatically, users do not have to actively upgrade their software to be secured.
Sector7 reported the problem to Proctorio in June, and a week later received confirmation that it had been rectified. Sector7 verified the fix in August, well before it revealed its technical findings last week. Sector7/Computest investigated the Proctorio program at the demand of local media outlet RTL Nieuws, which afterward compiled a report on the findings.