John Layden December 22, 2021 15:24 UTC
Update time: December 22, 2021 17:37 UTC
XSS vulnerability in Proctorio is resolved
A network security hole in an anti-cheat browser extension created a way to break into the computers of college students and other users before they were recently patched.
Security researchers at Sector 7, the research department of the Dutch security consulting company Computest, discovered that the Proctorio Google Chrome browser extension is vulnerable to cross-site scripting (XSS) vulnerabilities.
look up
Proctorio is a form of proctoring software that works during the pandemic to prevent cheating during online exams.
The technology is widely used in the Netherlands, which made local student organizations very angry, they opposed the technology as a privacy risk, but failed.
What’s worrying is that the software can read and change data on websites visited by users, as well as take screenshots and monitor webcam shots.
Read more latest data privacy news
The controversy over the use of the technology prompted Sector7 researchers to place the software under a microscope—an inspection that led to the discovery of a universal XSS (uXSS) vulnerability that can be easily abused.
“This [vulnerability] Malicious pages may use it to access data on any site the user is currently logged in to, for example, to read all your emails,” Sector7 told Drink it every day.
“If the user has granted permission to use any website, it can be used to access features such as webcams.”
Implementation error
as a Technical writing Sector7 explained that the vulnerability stems from an error in the Proctorio extension’s implementation of the “open calculator” function. The researchers explained:
Because the calculator is added to the page DOM to activate Proctorio, the JavaScript on the page can automatically enter the expression for the calculator and then trigger the evaluation.
This allows web pages to execute code in content scripts. Then, from the context of the content script, the page can send messages to the background page, and these messages will be processed as messages from the content script. Using the message combination, we found that we can trigger uXSS.
Sector7 tells Drink it every day: “[The] root cause [of the vulnerability] Untrusted JavaScript originating from web pages in extensions is being evaluated, leading to universal cross-site scripting. “
Fortunately, Proctorio has fixed this serious security hole. And, because the Chrome browser extension is automatically updated, users don’t need to manually update their software to get protection.
Sector7 reported this issue to Proctorio in June and was assured that it was resolved in about a week. Sector7 confirmed the fix in August, long before publishing its technical survey results last week.
Sector7/Computest checked the Proctorio software at the request of the local media RTL Nieuws, and the media subsequently compiled a report (English translation Via Google) research.
Drink it every day Proctorio was asked to comment on Sector7’s research, but we have not received a substantive response.
You might also like Safe Browsing: Google fixes Chrome site isolation bypass error
