back to article Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests

Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week. Back on October 15, 2018 an employee of Amplified IT, a …

  1. jemmyww

    Why would any competent engineer write an education system where the answers need to be in the client source instead of checked during submission? I've worked on lms software and the answer is usually because the surrounding framework isn't rich enough to support doing so, and at some level, incompetence.

    1. Blane Bramble

      It seems that "never trust the client" has been forgotten.

      1. Bartholomew Bronze badge

        The right answer would be to sack the idiot who thought that delivering the answers along with the questions to the client was a good idea.

        Obviously Microsoft needed to modify this because .... ?!?!?

        1. Anonymous Coward
          Anonymous Coward

          @Bartholomew

          Obviously because they might employ someone on the basis of their test results being very good, but may have cheated and in reality be useless?

          1. TRT Silver badge

            As if that has ever happened.

          2. Anonymous Coward
            Anonymous Coward

            You don't mean...like most of the people that hold a CCNA?

        2. big_D Silver badge
          Facepalm

          Because anybody who can view source is now l33t Haxx0r!

    2. Sam Adams the Dog

      This was my first question as well. Could not the authoring software place the answers, together with the grading infrastructure, on a separate domain that requires its own authentication?

      Since this issue was identified so long ago, I wonder if it was ever reported to the companies that write the testing software. It does not sound hard to fix this at the app level.

      1. Joe W Silver badge

        Had been reported

        as noted in the article. Google was sitting on its hands, until a downstream fix trickled upstream.

    3. Brewster's Angle Grinder Silver badge

      /etc/passwd

      Even within those limits, you could salt and hash the results and then salt and hash the student's answer to see if they match. It's not foolproof, but probably enough to block real world use cases.

      1. TRT Silver badge

        Re: /etc/passwd

        If they managed to usefully cheat after such techniques had been employed then they deserve A*++

        1. David 132 Silver badge

          Re: /etc/passwd

          If they managed to usefully cheat after such techniques had been employed then they deserve A*++

          As ever, there is a relevant XKCD.

        2. Paul Kinsler

          Re: then they deserve A*++

          Perhaps if it was some kind of IT related qualification, less so if it was for (e.g.) getting on the Gas Safe register.

          1. TRT Silver badge

            Re: then they deserve A*++

            Fair point. If this is indeed the case, then this is somewhat of an explosive revelation.

        3. Brewster's Angle Grinder Silver badge

          Re: /etc/passwd

          I wasn't sure how locked down the environment was. (Websites? Others apps? Mobile phones? Smart watches? Google glasses? Rainbow tables stuck to the wall out of sight of the camera?)

          These are multiple choice questions (or hashing is useless) so if you can look at the source and you have a device to can do hashing, you can hash each of the potential answers (4? 5? 6?) and see which one it is.

    4. swm Silver badge

      I believe that there was a computer science professional test that graded the results as A, B, C, ...

      It was later pointed out that the 'B' grades were given to people that were better than the 'A' grades.

      My sister was once given a multiple choice test with a time limit guaranteeing that no one could finish before the time was up. There was no penalty for wrong answers so my sister noticed that there was only 30 seconds to go and randomly marked all of the rest of the questions. She got a high score but the teachers were annoyed.

      Be careful of standardized tests.

      1. Robert Carnegie Silver badge

        The Java programming test I sat was multiple choice. I random marked questions on areas that I hadn't studied and I assumed that it was graded accordingly. I passed, just, on the knowledge that I did have - and on random mark bonuses.

    5. Anonymous Coward
      Anonymous Coward

      I do recall an automated programming exercise scoring program in my first year at uni. The problem wasn't so much that putting it through a debugger shared the vital details for the tests as much as it did the network credentials which were substantially above what it required.

      People need to be realistic about what insecure protocols can achieve.

      Funny thing is that they never really covered the debugger properly.

    6. JimboSmith Silver badge

      No names - to protect the guilty

      Yep I had to do a web based test at an employers many years ago. You could leave the answers blank on the test which was mostly multiple choice. At least a couple of them had a text box instead so you could write your own answer. I noticed that for one of these there was an image, that was needed for the question, that hadn't loaded on the page. I checked out the source code and found the 'answers' listed there. Then I realised this image obviously didn't exist and the image was missing on purpose. None of the listed answers to the multiple choice questions were correct. They were all wrong I suspected on purpose.

      So if you answered the test and got all the questions wrong but with the source code 'answers' you were either an idiot or more likely cheating. The question without the image you couldn't answer correctly as you needed the picture. However there was an answer listed in the code. So somebody cheating could 'answer it' but would unwittingly be advertising they'd definitely cheated. Somebody was very smug until the boss said they wanted a word.

    7. John Robson Silver badge

      Particularly since this implies that the marking is done by the client, and then the final result sent back for storage...

      Why "hack" the questions when you can just send back an A* grade

    8. albaleo

      Not always so easy...

      "Why would any competent engineer write an education system where the answers need to be in the client source instead of checked during submission?"

      It's not always so straightforward. Tests have different purposes and different procedures. For example, there are tests where the question sequence will depend on the answers to previous questions. In such cases, sending data to the server after each student answer and then waiting for a response can be problematic when many students are taking the test and the school has poor infrastructure.

      I work in the school testing field, but luckily in the test results reporting side and not the test delivery side. On the test delivery side, many things have to be considered, especially the importance and purpose of the test. For tests that really matter, the general guidance is that they be taken on school administered equipment.

    9. JulieM

      Clue in Question

      You are assuming that these systems are being created by competent people.

      Competent people tend either to demand wages that reflect their competence, or to work for companies who provide them with advantages not measured in pounds.

      This is a problem that has been brought about by a combination of (1) people acquiring a sheet of rub-down transfer lettering and suddenly imagining they can do anything an experienced calligrapher can, and (2) people wanting the services of a calligrapher but not prepared to pay the going rate.

  2. Anonymous Coward
    Anonymous Coward

    (sigh)

    Dear Janne (whose app has now been made famous proving that complaining about anything and everything is rewarding eventually so everyone should do it all the time), whose PC is it?

    This is not the world government forcing a tyrannous policy onto your PC.

    1. eldakka Silver badge

      Re: (sigh)

      > This is not the world government forcing a tyrannous policy onto your PC.

      Because in this case it isn't your PC, it is physically their PC, that they own, that they purchased, that they set up.

      This is for PC's that are already managed, that is, they are already part of a domain that is using group policies, not your own personal PC. Now, if your personal PC is part of a domain, say one you set up yourself, then as the administrator of that domain you'd have control over this feature. However, for the environments it's intended for, ones where you are using someone else's PC - business, school, kiosk, cafe, testing centre - it seems reasonable to me and probably the people who are the owners of those PCs you are using in those places.

    2. Sam Adams the Dog

      Re: (sigh)

      How sure are you that it's the institution's PC? That was not stated in the article. It seems logical to assume that students taking an exam can take it on their own computers.

      1. doublelayer Silver badge

        Re: (sigh)

        If you're joining your computer to an external management system, which you have to do for this to work, then you're giving up control over some aspects of your system. People have to understand what power they're giving administrators and whether they're comfortable doing so. If you do that, I think you have basically consented to having such a minor thing done.

        The better response would be not to include the answers in the source, and then there wouldn't be a problem. They have to be checked in at some point anyway, so the place that stores the grades can also do the grading.

      2. phuzz Silver badge
        Stop

        Re: (sigh)

        To make it clear, the management in Chrome/ium is configured by an XML file in /etc/opt/chrome/policies/managed/ (in Linux, I can't remember the location in Windows/OSX off the top of my head.).

        So, if it's your computer, you can just delete/modify that file, and Chrome will work as normal. If you own a computer but don't have full root/administrator access to it, do you really own it?

        1. TRT Silver badge

          Re: (sigh)

          If you're not supposed to but you do acquire it then yes, you do pwn the computer!

  3. runt row raggy

    so, now in order to pass you need to master curl. that's really raising the bar.

    1. eldakka Silver badge

      > so, now in order to pass you need to master curl. that's really raising the bar.

      Since this is for managed, locked down PCs subject to group policies, how, precisely, would you go about installing and running curl on their PC? I mean, if a business (e.g. school) is letting you use one of their PCs where they have gone to the trouble to implement group policies to enable this feature, are you likely able to be able to get curl onto the machine? And if you do, do you think you'd be able to run it?

      Note: TBH, I may be ascribing too much competence to these organisations. I have seen such incompetence before, so I guess they could be that bad that they'd implement this sort of group policy to disable URLs but still allow the user to be able to download (or plug in a USB drive and use it) and run arbitrary software.

      1. Richard 12 Silver badge

        It's there by default

        curl is included with Windows now.

        Sure, you can block it by policy. Along with all the other ways of downloading over HTTPS...

        There's a *lot* of them.

    2. captain veg Silver badge

      Or failing that, telnet.

      Have to say I find much more annoying the fact that Blink-based browsers on Android have no dev tools at all*.

      -A.

      *If you know otherwise, please tell.

    3. Flocke Kroes Silver badge

      ... or python

      A python script could submit the answers too.

  4. runt row raggy

    raising the bar

    so, now you just have to use a different browser. or just curl. this is really raising the bar for cheating.

    1. Bartholomew Bronze badge
      FAIL

      Re: raising the bar

      Or just use command line programs, I used to use use telnet to connect to www.websitename.domainname on port 80 and then type:

      GET /url-without-webiste HTTP/1.1

      HOST: www.websitename.domainname

      And hit enter key twice.

      The above will obviously not work for https websites for that you need to use a different command "openssl s_client -connect www.websitename.domainname:443" instead of telnet but once connected over SSL (Secure Socket Layer) then everything else is exactly the same. The exact same two commands and hit enter twice.

      Blocking the ability to access the html source code in a web browser is just plain old stupid.

      1. TRT Silver badge

        Re: raising the bar

        Well if it's an exam then presumably they have a user identification procedure and that can be tied into token passing and obfuscation / encryption of the answers and even questions. Specifically the article stated Google forms. I think I might know where the real problem is!

  5. Danny 14

    just dont bother and use a proctor. Search keylogs and page impressions, if developer or view source is used then fail the exam.

    Quite simply telling people not to cheat should be enough.

  6. Mage
    Coffee/keyboard

    Stupid test design!

    "Tech savvy students were viewing the source code of web-based tests to determine the answers."

    1) bad test design

    2) Admin blocking of view source could be exploited. A stupid feature.

    3) Other issues!

  7. Dinanziame Silver badge
    Facepalm

    Quite apart from viewing the source, I wonder if these people know about the element inspector... Sigh.

    There are also those web pages that attempt to prevent you from using the right-click menu. Or even make it impossible to copy... as if that was a meaningful protection in the age of smartphones.

  8. Blackjack Silver badge

    They will find a way to cheat anyway.

  9. LDS Silver badge

    "Many of the best people in IT are there today, because they got curious about how stuff worked"

    Does she mean people should have admin/root access on any device they use so they could keep on about being curious? Or does she admits that there are situations when access should be limited because otherwise things go the wrong way?

    The ChaosDB vuln just showed what could happen when someone made the dumb decision to run some code as root...

    Did she cheated routinely at school? Does she teach and let her students cheat as they like? There's always been a lot of "limitations" at school to assess what you really learnt and what not. It's in the very interest of the students. I'm proud I could pass tests at school without cheating - that's also why I learn and understood how many things worked really, far better that those that simply cheated to pass the tests.

  10. Michael

    reminds me of uni exams

    We had had a computing exam in first year. To prevent cheating internet access was disabled on the computers in the lab. After finishing up the programming task I used telnet to connect and chat to my friend on the computer behind me. After 10 minutes or so the lecturer walk up behind me, leaned over and asked very politely what I was doing. I answered chatting to him.

    He informed me that internet access had been disabled and I explained I was using the local network. He gave me a look, said carry on and walked away. I thought it a most reasonable response.

  11. Stuart Castle Silver badge

    On the one hand, I think anyone who writes an online exam that stores the answers locally on the machine used by the person being examined is, at best, incompetent. Even if the machine is locked down so tightly the user can do nothing else apart from fill out online forms, you need to assume the machine is not secure, so should do the minimum amount of processing required. The bulk of the processing, including answer checking, should be done on the server. You should also store the user data (including the user's answers) on the server. You can, if necessary, send the correct answers to the user's browser when they have submitted the exam to the server. Even that's dubious.

    On the other, I can see the need for something like this. I have a lot of experience of enterprise support, and I've found it's best to lock every product you distribute to users down as far as you can without compromising their ability to do their job. That's not to criticise the knowledge or intentions of individual users. Most users will toe the line, and do just what they need to. Some will do things they shouldn't out of curiosity. Some will do things they shouldn't maliciously. Regarding knowledge, some will have a great knowledge of computing. I've supported users who are considered experts in their respective fields. Most users aren't in this category though, so may make mistakes.. To prevent them damaging something they shouldn't, it's best to lock things down.

    Where I work, we lock down everything we can. Where a user needs access to change something standard users don't get, we can give them those rights, but they have to provide a good business case showing they need those rights.

    1. LDS Silver badge
      Devil

      Of course. But you'd need to hire a competent developer who didn't spend most time learning how to cheat his or her test watching a Youtube video, and then wrote the test application cutting and pasting from StackOverflow.

  12. Winkypop Silver badge
    Windows

    ‘View source’ started my IT career

    But then I was just really curious and not cheating.

  13. CookieMonster999

    But can they open the developer tools ? You can get the source using that, too.

  14. DrXym Silver badge

    Fix your websites

    If you're hiding secrets in the source code, be it the answers to questions, or security credentials then your website is broken. It shouldn't be difficult to implement a submit answer request that returns the real answer in the response either through http or a websocket.

    Blocking the ability to view source is a band aid and it's not hard to think of ways this could be circumvented.

  15. hayzoos
    Joke

    Serverless! Duh!

    Website have to be coded to process everything on the client because there is no server to do any processing. Every fuel knows that. Besides, even if you were not serverless deployed, why on earth would you want to use all that energy in the server, let the clients use their electricity to process. It is part of this thing called distributed computing don't cha know. For a tech oriented group the commenters here just don't get modern web computing.

  16. Blackjack Silver badge

    Honesty what angers me is not that the bug got fixed but that they put the answers in the page source code. All kids or anyone else have to do is load the webpage in a web browser that will show the page source code anyway.

    Was it too hard to do some basic web javascript coding and have the webpage check if the answers are correct by pulling them from somewhere else?

    1. Robert Carnegie Silver badge

      Evidently, the situation is an exam room where you use the college or company's own PC and it does not allow a different browser or a command prompt. Running "Windows 10 S" probably. ;-)

    2. stungebag

      No, they didn't put the answers in the page source code. They used Google Forms. The people setting the exam almost certainly had not the slightest idea, or interest, of how Forms works. It seemed to offer what they needed and even if they'd been told that the answers were hidden in the source they'd have been reassured by their admin telling them that they'd disabled the view source feature (but we now know that the disabling didn't work). They wouldn't have the slightest notion of what Javascript is so suggesting that they hand-craft some js is just silly.

      And these are managed machines so almost certainly are in a school. Invigilators are walking around the room looking at screens. Possibly someone's monitoring thumbnails of the whole room using a tool such as Impero. Supervised students doing an exam under time pressure are not in a position to do much in the way of tech-based cheating, even with vulnerabilities such as this.

  17. Robert Grant Silver badge

    That's one way to look at it, though it dismisses pretty much everyone who has worked for Microsoft, Google, Apple, and every other commercial technology company that has implemented any system that recognizes permission settings and user privileges.

    No it doesn't. It ... it just doesn't.

  18. castaway

    Just don't use Google Forms?

    Student can fill their answers and then get an e-mail with their scores and the correct answers. No Big Deal.

    Using Google Forms to be able to check answers in Real-time is bad Reasoning. There are other much better strategies to have online examinations.

  19. TeeCee Gold badge
    Facepalm

    Ahem!

    There is a real problem here.

    If the correct and secure function of your web application relies on well behaved software hiding the easily visible source when told to, you should be fired and never be allowed to touch anything sensitive ever again.

    As for the organisations running tests this way; you hired Mr quick 'n dirty to build it, look in the mirror for whose fault it is.

    1. TRT Silver badge

      Re: Ahem!

      Mr Quick n Dirty in this case appears to also go by the name of Mx Google and they have form. Or Forms.

  20. ColinPa Silver badge

    "you are not spending enough time on the question"

    I remember some online education where the answers were pretty obvious.

    Q:"You have received an email from an address you do not know, with speling mistakes, saying you have won the Nigerian Lottery etc.

    Do you

    A1. Click on the link immediately to see what you have won

    A2. Think for a minute, then click on the link

    A3. Ask a grandparent.

    A4. Treat it as spam.

    When you clicked the answer, the computer said "You have not spent long enough reading the question".

    We got round this by having this in one window, and did work in another window, it took all day - but who cares

    We complained to HR, saying we are professionals with degrees, and did not have the reading age of a 5 year old. They were not interested.

    1. Negative Charlie

      Re: "you are not spending enough time on the question"

      "We complained to HR, saying we are professionals with degrees, and did not have the reading age of a 5 year old."

      Ah. You must be in Management.

  21. DomDF
    Alert

    #Ad

    Is this sponsored content for Microsoft, Google and co, or is El Reg just boot licking as a hobby?

    1. TRT Silver badge

      Re: #Ad

      You can find the answer to your question by viewing the source of this page.

  22. Richard 12 Silver badge
    FAIL

    Why does this policy exist at all?

    It serves no practical purpose whatsoever, and cannot possibly achieve the stated goal.

    Better fix is to delete the policy entirely, because it cannot possibly do what is intended. A policy that cannot possibly succeed is a problem in itself, it can only cause confusion and additional problems when it fails to achieve the goal.

    Any site asking for this policy doesn't understand the problem domain and is always setting themselves up for failure. Their administrators end up playing whack-a-mole trying to lock down the client, and they will fail!

    It's far better to insist that the web developer uses appropriate security measures:

    If you don't want someone to see something, don't send it to them. Putting it inside an envelope marked "do not open" isn't going to stop anyone even remotely curious.

  23. jvf

    enough already

    Arguing against a method that forces the little buggers to give answers from what they’ve learned instead of cheating seems depressingly familiar to the arguments of selfish three year olds railing about their “loss of freedom” because they’re told to wear masks and get vaccinated to help us all get through the pandemic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like