XSS flaw in Proctorio gets resolved

Security researchSecurity researchers have discovered a vulnerability in Proctorio, an anti-cheating browser extension used to invigilate online exams

A web security flaw in an anti-cheating browser extension created a means to hack into the computers of university students and other users before they were recently patched.

The Proctorio Google Chrome browser extension was vulnerable to a cross-site scripting (XSS) flaw, security researchers at Sector 7, the research division of Dutch security consultancy Computest, discovered.

Swotting up

Proctorio is a form of proctoring software, technology that has come into its own during the pandemic to safeguard against cheating during online tests.

The technology is widely used in the Netherlands, much to the ire of local students organizations that have unsuccessfully opposed the use of the technology as a privacy risk.

Concerns arose because the software can read and change data on websites that users visit, as well as take screenshots and monitor webcam footage.

Read more of the latest data privacy news

Controversy of the use of the technology prompted researchers at Sector7 to put the software under the microscope – an examination that led to the discovery of an easily abused universal XSS (uXSS) vulnerability.

“This [vulnerability] could be used by a malicious page to access data on any site where the user is currently logged in, for example, read all your email,” Sector7 told The Daily Swig.

“And it could be used to access features like the webcam if the user has granted any website permission to use it.”

Implementation errors

As a technical write-up of the vulnerability by Sector7 explains, the flaw arose from errors in implementing an ‘open calculator’ function by the Proctorio extension. The researchers explain:

Because the calculator is added to DOM of the page activating Proctorio, JavaScript on the page can automatically enter an expression for the calculator and then trigger the evaluation.

This allows the webpage to execute code inside the content script. From the context of the content script, the page can then send messages to the background page that are handled as messages from the content script. Using a combination of messages, we found we could trigger uXSS.

Sector7 told The Daily Swig: “[The] root cause [of the vulnerability] was evaluating untrusted JavaScript originating from a webpage in the extension, leading to universal cross-site scripting.”

Fortunately, the serious security bug has since been fixed by Proctorio. And, since Chrome browser extensions are updated automatically, there is no need for users to update their software manually to get protected.

Sector7 reported the problem to Proctorio in June, receiving assurance that it had been resolved around a week later. The fix was confirmed by Sector7 in August, long before it published its technical findings last week.

Sector7/Computest examined the Proctorio software at the request of local media outlet RTL Nieuws, which subsequentially put together a report (English language translation via Google) on the research.

The Daily Swig asked Proctorio to comment on Sector7’s research but we’re yet to receive a substantive reply.

YOU MAY ALSO LIKE Safe browsing: Google fixes Chrome Site Isolation bypass bug