Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week. Back on October 15, 2018 an employee of Amplified IT, a …
Why would any competent engineer write an education system where the answers need to be in the client source instead of checked during submission? I've worked on lms software and the answer is usually because the surrounding framework isn't rich enough to support doing so, and at some level, incompetence.
This was my first question as well. Could not the authoring software place the answers, together with the grading infrastructure, on a separate domain that requires its own authentication?
Since this issue was identified so long ago, I wonder if it was ever reported to the companies that write the testing software. It does not sound hard to fix this at the app level.
I wasn't sure how locked down the environment was. (Websites? Others apps? Mobile phones? Smart watches? Google glasses? Rainbow tables stuck to the wall out of sight of the camera?)
These are multiple choice questions (or hashing is useless) so if you can look at the source and you have a device to can do hashing, you can hash each of the potential answers (4? 5? 6?) and see which one it is.
I believe that there was a computer science professional test that graded the results as A, B, C, ...
It was later pointed out that the 'B' grades were given to people that were better than the 'A' grades.
My sister was once given a multiple choice test with a time limit guaranteeing that no one could finish before the time was up. There was no penalty for wrong answers so my sister noticed that there was only 30 seconds to go and randomly marked all of the rest of the questions. She got a high score but the teachers were annoyed.
Be careful of standardized tests.
I do recall an automated programming exercise scoring program in my first year at uni. The problem wasn't so much that putting it through a debugger shared the vital details for the tests as much as it did the network credentials which were substantially above what it required.
People need to be realistic about what insecure protocols can achieve.
Funny thing is that they never really covered the debugger properly.
Yep I had to do a web based test at an employers many years ago. You could leave the answers blank on the test which was mostly multiple choice. At least a couple of them had a text box instead so you could write your own answer. I noticed that for one of these there was an image, that was needed for the question, that hadn't loaded on the page. I checked out the source code and found the 'answers' listed there. Then I realised this image obviously didn't exist and the image was missing on purpose. None of the listed answers to the multiple choice questions were correct. They were all wrong I suspected on purpose.
So if you answered the test and got all the questions wrong but with the source code 'answers' you were either an idiot or more likely cheating. The question without the image you couldn't answer correctly as you needed the picture. However there was an answer listed in the code. So somebody cheating could 'answer it' but would unwittingly be advertising they'd definitely cheated. Somebody was very smug until the boss said they wanted a word.
"Why would any competent engineer write an education system where the answers need to be in the client source instead of checked during submission?"
It's not always so straightforward. Tests have different purposes and different procedures. For example, there are tests where the question sequence will depend on the answers to previous questions. In such cases, sending data to the server after each student answer and then waiting for a response can be problematic when many students are taking the test and the school has poor infrastructure.
I work in the school testing field, but luckily in the test results reporting side and not the test delivery side. On the test delivery side, many things have to be considered, especially the importance and purpose of the test. For tests that really matter, the general guidance is that they be taken on school administered equipment.
You are assuming that these systems are being created by competent people.
Competent people tend either to demand wages that reflect their competence, or to work for companies who provide them with advantages not measured in pounds.
This is a problem that has been brought about by a combination of (1) people acquiring a sheet of rub-down transfer lettering and suddenly imagining they can do anything an experienced calligrapher can, and (2) people wanting the services of a calligrapher but not prepared to pay the going rate.
> This is not the world government forcing a tyrannous policy onto your PC.
Because in this case it isn't your PC, it is physically their PC, that they own, that they purchased, that they set up.
This is for PC's that are already managed, that is, they are already part of a domain that is using group policies, not your own personal PC. Now, if your personal PC is part of a domain, say one you set up yourself, then as the administrator of that domain you'd have control over this feature. However, for the environments it's intended for, ones where you are using someone else's PC - business, school, kiosk, cafe, testing centre - it seems reasonable to me and probably the people who are the owners of those PCs you are using in those places.
If you're joining your computer to an external management system, which you have to do for this to work, then you're giving up control over some aspects of your system. People have to understand what power they're giving administrators and whether they're comfortable doing so. If you do that, I think you have basically consented to having such a minor thing done.
The better response would be not to include the answers in the source, and then there wouldn't be a problem. They have to be checked in at some point anyway, so the place that stores the grades can also do the grading.
To make it clear, the management in Chrome/ium is configured by an XML file in /etc/opt/chrome/policies/managed/ (in Linux, I can't remember the location in Windows/OSX off the top of my head.).
So, if it's your computer, you can just delete/modify that file, and Chrome will work as normal. If you own a computer but don't have full root/administrator access to it, do you really own it?
> so, now in order to pass you need to master curl. that's really raising the bar.
Since this is for managed, locked down PCs subject to group policies, how, precisely, would you go about installing and running curl on their PC? I mean, if a business (e.g. school) is letting you use one of their PCs where they have gone to the trouble to implement group policies to enable this feature, are you likely able to be able to get curl onto the machine? And if you do, do you think you'd be able to run it?
Note: TBH, I may be ascribing too much competence to these organisations. I have seen such incompetence before, so I guess they could be that bad that they'd implement this sort of group policy to disable URLs but still allow the user to be able to download (or plug in a USB drive and use it) and run arbitrary software.
Or just use command line programs, I used to use use telnet to connect to www.websitename.domainname on port 80 and then type:
GET /url-without-webiste HTTP/1.1
HOST: www.websitename.domainname
And hit enter key twice.
The above will obviously not work for https websites for that you need to use a different command "openssl s_client -connect www.websitename.domainname:443" instead of telnet but once connected over SSL (Secure Socket Layer) then everything else is exactly the same. The exact same two commands and hit enter twice.
Blocking the ability to access the html source code in a web browser is just plain old stupid.
Well if it's an exam then presumably they have a user identification procedure and that can be tied into token passing and obfuscation / encryption of the answers and even questions. Specifically the article stated Google forms. I think I might know where the real problem is!
Quite apart from viewing the source, I wonder if these people know about the element inspector... Sigh.
There are also those web pages that attempt to prevent you from using the right-click menu. Or even make it impossible to copy... as if that was a meaningful protection in the age of smartphones.
This post has been deleted by its author
Does she mean people should have admin/root access on any device they use so they could keep on about being curious? Or does she admits that there are situations when access should be limited because otherwise things go the wrong way?
The ChaosDB vuln just showed what could happen when someone made the dumb decision to run some code as root...
Did she cheated routinely at school? Does she teach and let her students cheat as they like? There's always been a lot of "limitations" at school to assess what you really learnt and what not. It's in the very interest of the students. I'm proud I could pass tests at school without cheating - that's also why I learn and understood how many things worked really, far better that those that simply cheated to pass the tests.
We had had a computing exam in first year. To prevent cheating internet access was disabled on the computers in the lab. After finishing up the programming task I used telnet to connect and chat to my friend on the computer behind me. After 10 minutes or so the lecturer walk up behind me, leaned over and asked very politely what I was doing. I answered chatting to him.
He informed me that internet access had been disabled and I explained I was using the local network. He gave me a look, said carry on and walked away. I thought it a most reasonable response.
On the one hand, I think anyone who writes an online exam that stores the answers locally on the machine used by the person being examined is, at best, incompetent. Even if the machine is locked down so tightly the user can do nothing else apart from fill out online forms, you need to assume the machine is not secure, so should do the minimum amount of processing required. The bulk of the processing, including answer checking, should be done on the server. You should also store the user data (including the user's answers) on the server. You can, if necessary, send the correct answers to the user's browser when they have submitted the exam to the server. Even that's dubious.
On the other, I can see the need for something like this. I have a lot of experience of enterprise support, and I've found it's best to lock every product you distribute to users down as far as you can without compromising their ability to do their job. That's not to criticise the knowledge or intentions of individual users. Most users will toe the line, and do just what they need to. Some will do things they shouldn't out of curiosity. Some will do things they shouldn't maliciously. Regarding knowledge, some will have a great knowledge of computing. I've supported users who are considered experts in their respective fields. Most users aren't in this category though, so may make mistakes.. To prevent them damaging something they shouldn't, it's best to lock things down.
Where I work, we lock down everything we can. Where a user needs access to change something standard users don't get, we can give them those rights, but they have to provide a good business case showing they need those rights.
If you're hiding secrets in the source code, be it the answers to questions, or security credentials then your website is broken. It shouldn't be difficult to implement a submit answer request that returns the real answer in the response either through http or a websocket.
Blocking the ability to view source is a band aid and it's not hard to think of ways this could be circumvented.
Website have to be coded to process everything on the client because there is no server to do any processing. Every fuel knows that. Besides, even if you were not serverless deployed, why on earth would you want to use all that energy in the server, let the clients use their electricity to process. It is part of this thing called distributed computing don't cha know. For a tech oriented group the commenters here just don't get modern web computing.
Honesty what angers me is not that the bug got fixed but that they put the answers in the page source code. All kids or anyone else have to do is load the webpage in a web browser that will show the page source code anyway.
Was it too hard to do some basic web javascript coding and have the webpage check if the answers are correct by pulling them from somewhere else?
No, they didn't put the answers in the page source code. They used Google Forms. The people setting the exam almost certainly had not the slightest idea, or interest, of how Forms works. It seemed to offer what they needed and even if they'd been told that the answers were hidden in the source they'd have been reassured by their admin telling them that they'd disabled the view source feature (but we now know that the disabling didn't work). They wouldn't have the slightest notion of what Javascript is so suggesting that they hand-craft some js is just silly.
And these are managed machines so almost certainly are in a school. Invigilators are walking around the room looking at screens. Possibly someone's monitoring thumbnails of the whole room using a tool such as Impero. Supervised students doing an exam under time pressure are not in a position to do much in the way of tech-based cheating, even with vulnerabilities such as this.
There is a real problem here.
If the correct and secure function of your web application relies on well behaved software hiding the easily visible source when told to, you should be fired and never be allowed to touch anything sensitive ever again.
As for the organisations running tests this way; you hired Mr quick 'n dirty to build it, look in the mirror for whose fault it is.
I remember some online education where the answers were pretty obvious.
Q:"You have received an email from an address you do not know, with speling mistakes, saying you have won the Nigerian Lottery etc.
Do you
A1. Click on the link immediately to see what you have won
A2. Think for a minute, then click on the link
A3. Ask a grandparent.
A4. Treat it as spam.
When you clicked the answer, the computer said "You have not spent long enough reading the question".
We got round this by having this in one window, and did work in another window, it took all day - but who cares
We complained to HR, saying we are professionals with degrees, and did not have the reading age of a 5 year old. They were not interested.
This post has been deleted by its author
It serves no practical purpose whatsoever, and cannot possibly achieve the stated goal.
Better fix is to delete the policy entirely, because it cannot possibly do what is intended. A policy that cannot possibly succeed is a problem in itself, it can only cause confusion and additional problems when it fails to achieve the goal.
Any site asking for this policy doesn't understand the problem domain and is always setting themselves up for failure. Their administrators end up playing whack-a-mole trying to lock down the client, and they will fail!
It's far better to insist that the web developer uses appropriate security measures:
If you don't want someone to see something, don't send it to them. Putting it inside an envelope marked "do not open" isn't going to stop anyone even remotely curious.
Arguing against a method that forces the little buggers to give answers from what they’ve learned instead of cheating seems depressingly familiar to the arguments of selfish three year olds railing about their “loss of freedom” because they’re told to wear masks and get vaccinated to help us all get through the pandemic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
