Tens of thousands of students were vulnerable to hackers for months because of a leak in surveillance software Proctorio. A so-called Universal Cross-Site Scripting attack (UXSS) allowed attackers to look over the shoulder of students unnoticed and steal confidential data such as passwords for online accounts. The exploit came to light in June and was patched soon after.
Due to the corona pandemic, students have not received normal education for almost two years. Taking exams in a large, well-filled lecture hall is not one of them. To ensure that students do not incur study delays or incur additional expenses, most universities and colleges offer the option of digital exams. Everyone can then take an exam from home or a student room.
To ensure that students do not cheat, educational institutions use proctoring software. With this software, invigilators keep a close eye on students, both during and after the exam. These programs have far-reaching possibilities. They can access your webcam and microphone, see what’s on your screen, record keystrokes, and track which websites you’ve visited. Proctoring software can also measure eye movements and take short photos and videos.
According to many students, this is a far-reaching invasion of their privacy. The Central Student Council (CSR) of the University of Amsterdam (UvA) even brought summary proceedings before the court but got the shortest straw. The judge called the use of proctoring software to combat exam fraud a ‘legitimate interest’. The CSR was also unsuccessful on appeal.
The Dutch Data Protection Authority is still investigating the privacy violation of proctoring software.
In the past year, many educational institutions in our country required students to install this proctoring software on their computers. That is, if they wanted to participate in the digital exam. The most popular package is Proctorio. The University of Amsterdam, VU University Amsterdam, Erasmus University Rotterdam, Tilburg University, Amsterdam University of Applied Sciences and Utrecht University of Applied Sciences, among others, use this software.
At the request of a media outlet, Daan Keupers and Thijs Alkemade of Computest Proctorio investigated. The security specialists discovered a vulnerability in the software. A so-called Universal Cross-Site Scripting attack (UXSS) made it possible for hackers and cybercriminals to take over accounts simply by clicking on a malicious link. As soon as you click on this link, the Proctorio plugin is activated in the web browser. Malicious persons can then watch and steal data, such as passwords of online accounts or payment services. In other words, confidential student data was up for grabs for months.
Keupers and Alkemade presented their findings to Proctorio on 18 June. The company says it is happy with the discovery of the security researchers. It was sealed within a week of the leak being reported. Proctorio does not answer whether hackers actually exploited this vulnerability to steal confidential data.
The employees of security company Computest do have a number of tips for students who have Proctorio on their computer. They advise removing the Proctorio plugin immediately after they have taken an exam and installing as little extra software as possible. “The browser is one of the most secure programs on your computer. By doing as much as possible in the browser, for example emailing, video calling and editing documents, you reduce the risk of being hacked. The more software on your computer, the more potential vulnerabilities there are,” said Keuper.
Alkemade advises students to create a separate browser profile that they only use to take online exams. By surfing long enough with a specific web browser, it collects information about, among other things, your operating system, screen resolution, browser extensions and computer hardware and software. All this information together forms a unique profile or fingerprint. Indirectly, information about you can be collected by parties such as Facebook and Google. Your online anonymity is therefore no longer guaranteed.
Update (December 16, 2021): the GroenLinks faction in the House of Representatives is concerned about the events. Lisa Westerveld and Mauthar Bouchallikh have put several written questions to outgoing Minister of Education, Culture and Science Ingrid van Engelshoven. The MPs believe that surveillance software such as Proctorio’s should only be used in exceptional cases. They want to hear from the minister whether she agrees.
The MPs also asked the education minister what measures educational institutions have taken after the leak in Proctorio’s software came to light. In addition, they inform you which anti-cheating software colleges and universities use more and how the cabinet checks whether these are safe.
Finally, Westerveld and Bouchallikh have questions about the privacy risks of students and staff. They ask Van Engelshoven what privacy requirements educational institutions must meet in order to use software such as Proctorio’s. Finally, the GroenLinks MPs want to hear from the minister what privacy risks students and staff are currently running.
Catch up on more articles here
Follow us on Twitter here