Update: The bookmarklet has been taken down as a courtesy to the e-learning developer community. I am not giving out the code, please don’t ask.
I’m always surprised how little people talk about cheating in e-learning; maybe it’s a fear of revealing just how easy it can be. The fact is, SCORM — the most common communication standard in e-learning — is fairly easy to hack. It uses a public JavaScript-based API that is easy to tap into and feed false data, and because it’s a standard, you know exactly what methods and properties are available in the API. It doesn’t matter what vendor or product produced the course (Articulate, Adobe, etc.)… if it uses SCORM, it’s vulnerable.
I’ve whipped up a proof-of-concept bookmarklet that when clicked will set your SCORM course to complete with a score of 100 (works with both SCORM 1.2 and 2004).
This bookmarklet isn’t guaranteed to work with all courses… it’s just a demonstration of what’s possible, and could be made much more sophisticated by someone highly motivated to cheat.
As e-learning continues to boom, we should be looking into ways of making courses more secure and more difficult to hack. I believe higher security should be achievable with current web technologies. For instance, how about requiring any score or completion data to be accompanied by a unique encrypted security key? Then no external script could inject false data because it wouldn’t have the required security key.
I don’t think cheating is a problem at the moment, but we should be proactive and implement better security before it becomes a problem.
For those who are curious, the bookmarklet has been successfully tested in a few LMSs and test environments, but I won’t be revealing which ones. For those interested in the tech specs, the bookmarklet is an anonymous JavaScript function with no global variables. It was error-checked in JS Lint then compressed with the ‘shrink variables’ option enabled, which means it’s pretty hard to decipher. If you’re interested in seeing the uncompressed code, post a comment below with your email and I’ll consider sending a copy.
Comments
David McClelland wrote on March 22, 2009 at 7:12 pm:
After reading, it occurred to me that much of what I do while testing would be cheating in another context. Kudos to you for thinking to open some discussion about this.
Tom King wrote on March 22, 2009 at 8:38 pm:
Great work. I submitted a white paper on this to LETSI last August.
http://wiki.letsi.org/display/nextscorm/King+-+Security+Before+FeaturesSeveral weeks before that the exploit was sent to ADL, at least 2 tool vendors and at least 3 major LMS vendors. No one seemed to care.
Just wait until SCORM is used for legal compliance training and a lawyer finds out that anyone can fake attendance/completion/score with a bookmark.
Tom King wrote on March 22, 2009 at 8:54 pm:
Sorry if this duplicate comment; on 1st visit JavaScript was disabled (yes, I'm paranoid about security).
I wrote an exploit like this last summer and circulated it to ADL, at least 2 tool vendors, and at least 3 LMS vendors. No one seemed to care.
In August of 2008 I published a paper, but chickened out on publishing the exploit code.
My pun-ishly titled paper was going to be "SCORM: Insecurity Risk", but I guess *I* was the insecure one– SCORM just lacks security.
http://wiki.letsi.org/display/nextscorm/King+-+Security+Before+Features
Of course ADL did nothing about this in all the time they worked on 4th Edition.
Next thing to exploit, is to iterate through the LMS API adapter itself, explore the object methods and look for SQL injection or other holes. Once you get to the LMS database, privacy and database security issues get scary fast.
Send an email to em and I'll share my version of the exploit.
Brian Dusablon wrote on March 23, 2009 at 7:45 am:
Good stuff, Philip. As we move towards more and more online training, especially in compliance courses and in secondary education, this will be extremely important.
Paul Colombo wrote on March 23, 2009 at 8:58 am:
You know, I never thought to try this via bookmarklet, good idea. I'd been doing it via Firebug for testing purposes for awhile now.
This is something LETSI should be taking into consideration with SCORM 2.0, though, if Javascript is the primary mechanism, it's going to be hackable.
I can tell you for 99% of corporate e-Learning, setting lesson_status and score.raw are enough.
Tim Martin wrote on March 23, 2009 at 9:13 am:
It's certainly an interesting thought (and a potentially useful bookmarklet).
We've often discussed with clients the fact that SCORM is ill-suited for high stakes testing. It's the nature of JS and the web, to some degree.
Is the "web services" approach to a SCORM API that the LETSI folks are discussing the right path here?
Philip Hutchison wrote on March 23, 2009 at 9:18 am:
@tim
yeah, i think web services could go a long way towards tightening up security. i just haven't seen any concrete examples from LETSI yet (though i admit i haven't read all the submitted proposals).
Chuck Allen wrote on March 23, 2009 at 5:54 pm:
LETSI is just beginning its web services API work, although the is WS binding that BBN developed under contract with ADL that is based on the javascript API.
A community software approach has advantages with respect to maintenance of these API's and plugging security holes versus trying to put them through an IEEE or other formal standards processes. This is what LETSI is going to try. There is a call on the LETSI project on Wed., March 25. See the www.letsi.org/blog for details.
I also did a bit of review of the BBN-developed WSDL here:
http://www.hrinterop.org/node/91
Stefan Leyhane wrote on March 23, 2009 at 7:06 pm:
I don't think many will be surprised about the lack of security that comes along with using SCORM. We've always instructed our clients not to use SCORM for their assessments.
What's new (and frightening) is the idea of putting this in a bookmarklet that a non-technical user can make use of. Thanks for posting this.
As an LMS vendor, it's made me aware that we'll need to monitor the session times a little closer (LMS calculated vs. what the SCO reports).
Philip Hutchison wrote on March 23, 2009 at 8:56 pm:
@stefan et al
As developers/vendors, none of us are surprised people can cheat using SCORM because we understand its vulnerabilities. But I'd be willing to bet our respective clients don't have a clue just how insecure it is… I imagine they expect the course to be secure because they had to log in just like they would if they went to a banking site. They might even see an HTTPS protocol and padlock icon, deepening the impression that their course/data is safe.
No one says "oh, by the way, this system is very easy to hack." We just kind of stay mum on the subject and point out that it isn't <em>likely</em> anyone would try to hack it.
Sean wrote on March 27, 2009 at 11:13 am:
@Tom King – SCORM _is_ used for legal compliance training. Lots of it.
Florian Gnägi wrote on March 30, 2009 at 10:52 am:
Interesting post. I'm not surprised at all. As an LMS vendor we are well aware of this and don't recommend user to use SCORM for real assessment or testing. It's fine for selftests. Since the score is calculated on the client it is also obvious that the correct answers are on the client as well (maybe hidden in a flash file but this can be decompiled as well).
In the open source LMS OLAT we implemented a separate assessment infrastructure based on IMS QTI that does all the answer and score calculations on the server. IMHO this is the only way to prevent users from cheating and thus is can also be used for university grades etc. (which is actually done).
Robby Robson wrote on March 30, 2009 at 1:06 pm:
Can't I set up SCORM / AICC so that it reports the interactions and requires the LMS to compute the score? This is what Florian says OLAT is doing with QTI, but couldn't it also be done using SCORM or AICC if desired?
Jason Haag wrote on March 30, 2009 at 1:09 pm:
RE: –> No one says "oh, by the way, this system is very easy to hack." We just kind of stay mum on the subject and point out that it isn't likely anyone would try to hack it.
This is very true, but an experienced developer could very well add layers of security to prevent their courseware from being compromised. Assessment data could be loaded in through launch_data so without a deep understanding of how the content was architected I don't see this happening frequently. Also, sequencing rules can easily prevent someone from simply using javascript to set cmi data model element values. Doesn't it really depend on how securely the developer built the content? Without a proctor, there probably is potential for cheating! I'm sure there might be a few savvy learners out there that could figure out, but it would probably take longer than it would to actually finish the content itself. Remember, assessments are currently outside the scope of SCORM.
Philip Hutchison wrote on March 30, 2009 at 1:24 pm:
All good points.
As Jason mentions, it really depends how you build your course. For instance, if the course is pass/fail yet the learner has a "completed" status with a score of 100, that's a big red flag that something's not right.
If the course uses interactions yet none of them have reportable data, that's another red flag. So part of the solution (for now) may be to build more comprehensive reports that identify/flag irregular data.
The best most of us can do at the moment is obfuscate things… make it hard for cheaters to figure out how the course and/or quiz is structured.
Might I also note that ANY online course can be cheated simply by opening another browser window and looking up the answers? We've all heard of co-workers sitting side-by-side giving each other answers. I even know of a department that posted the answers to an online quiz on the break room wall so everyone who worked there could zip through it. They considered the course inconvenient.
Matt wrote on March 30, 2009 at 2:12 pm:
Question – I am not able to get your demo to work as it is too long to create an IE bookmark. Does the demo work in IE?
Philip Hutchison wrote on March 30, 2009 at 2:36 pm:
@Matt
Nope. The <em>code</em> works in IE, but as you learned, IE won't allow a bookmarklet that large (IE uses a character limit on bookmarklets).
Before I converted the code to a bookmarklet, I simply placed the code into an href link in an HTML file and tested it directly from the HTML. In that situation, it worked in every browser I tested.
FYI I did all of my <em>bookmarklet</em> testing in Firefox.
Jason Haag wrote on March 31, 2009 at 6:55 am:
We do need more security options in SCORM to "enhance" it. I totally agree there is potential for compromising a simplistic SCORM course. However, this is more of an "accountability" issue than it is a "security" issue in my opinion. It is the content developer's responsibility to be knowledgeable enough about SCORM to prevent this type of scenario from happening. I wouldn't call this cheating, but when you're talking about a course that only requies cmi completion status or success status and/or a score to be set, then it's most likely a page turner. In SCORM 2004, you could use some simple rollup rules to prevent the course from rolling up unless a certain condition is met (independent of the completion,success status and scaled score of one sco). A security best practices guide from ADL would be useful, but you will still run into this "accountability" problem from time to time.
Chris Haveard wrote on March 31, 2009 at 8:58 am:
The biggest question is; Would you really want to risk your score to a Javascript hack? I wouldn't. Although, the question of "is it possible to cheat" should be answered with a "no". There should be no vulnerabilities and no work-arounds. There should also be documentation on securing a SCORM course's JS layer for developers.
The same goes for SCORM that goes for SOAP. SCORM players are (I'm assuming) always based on authenticated and encrypted (SSL) access.
The person cheating is authenticated as a real person who is paying money to risk losing their tuition because they are an idiot. If a learner doesn't have the common sense to not tinker with a scored (for grade) assessment it's just a matter of time before they're caught. I'd be more worried about students writing the answers on the back of their hand or stealing an answer key. If a student really wants to cheat, they will. With the right detection tools, cheating on a web based test could be made easier to detect than older "analog" methods.
Kurt Melander wrote on March 31, 2009 at 12:24 pm:
I certainly agree with Jason, unfortunately you can't program in personal integrity. However, being JavaScript-based, it was inevitable. Yes SCORM 2004 would add some stop-gaps to prevent this;however, we also know the staggering differences in interpretation and implementation of the 1.3.3 RTE on most LMS'es in terms of sequencing and roll-up behaviors. Although I'm glad Phillip identified this, and thankfully as well took the bookmarklet down, it is disturbing all the same. Hopefully, LMS vendors or the ADL developer community at-large can come up with a reasonable work-around.
Phillip would you please e-mail me the bookmarklet code so that I can look at it.
Thanks.
Chris Grove wrote on March 31, 2009 at 2:23 pm:
Philip,
Would you mind passing along the bookmarklet (and the uncompressed code if you don't mind)? I would be curious to test out some of the past LMS implementations I have worked on. I would like for some of my colleagues to see how vulnerable they really are.Thanks!
Developer Deva wrote on April 2, 2009 at 4:03 am:
Can u give me the bookmarklet, i am curious to see how it is working.
Gani wrote on April 6, 2009 at 3:33 am:
Hi Philip,
Would you mind sharing the bookmarklet. I am interested in testing this.
Thanks.
Lauri Showler wrote on April 14, 2009 at 8:36 am:
I work producing 'elearning content' for my local college, trying a variety of packages, all of which use SCORM and are integrated into moodle. As this is slowly but surely taking over form paper based examination it absolutely has to be secure, or it make the whole thing pointless.
I would like to try this bookmarklet on our content to see how easy it is. Please could you send me the code?
Nathan Mynarcik wrote on April 17, 2009 at 12:12 pm:
Hey Philip, this is very interesting to me. I have been assigned to developing/testing e-learning modules and am interested in seeing the code for the bookmarklet for testing purposes.
JB wrote on September 14, 2009 at 12:22 pm:
I would like to have the bookmarklet (and the uncompressed code if you don't mind?) sent to me please, I am an independent e-learning developer that publishes to many LMS systems based on clients that I develop e-learning for.
philip wrote on September 26, 2009 at 1:34 am:
@all
Sorry, I've stopped handing out the code at this point. It's not hard to write your own if you want to give it a shot. 🙂
Michael wrote on June 20, 2010 at 8:22 pm:
I cant stand SCORM!
Even the guy who invented it thinks it is way overused.
After reading, it occurred to me that much of what I do while testing would be cheating in another context. Kudos to you for thinking to open some discussion about this.
Great work. I submitted a white paper on this to LETSI last August.
http://wiki.letsi.org/display/nextscorm/King+-+Security+Before+Features
Several weeks before that the exploit was sent to ADL, at least 2 tool vendors and at least 3 major LMS vendors. No one seemed to care.
Just wait until SCORM is used for legal compliance training and a lawyer finds out that anyone can fake attendance/completion/score with a bookmark.
Sorry if this duplicate comment; on 1st visit JavaScript was disabled (yes, I’m paranoid about security).
I wrote an exploit like this last summer and circulated it to ADL, at least 2 tool vendors, and at least 3 LMS vendors. No one seemed to care.
In August of 2008 I published a paper, but chickened out on publishing the exploit code.
My pun-ishly titled paper was going to be “SCORM: Insecurity Risk”, but I guess *I* was the insecure one– SCORM just lacks security.
http://wiki.letsi.org/display/nextscorm/King+-+Security+Before+Features
Of course ADL did nothing about this in all the time they worked on 4th Edition.
Next thing to exploit, is to iterate through the LMS API adapter itself, explore the object methods and look for SQL injection or other holes. Once you get to the LMS database, privacy and database security issues get scary fast.
Send an email to em and I’ll share my version of the exploit.
Good stuff, Philip. As we move towards more and more online training, especially in compliance courses and in secondary education, this will be extremely important.
You know, I never thought to try this via bookmarklet, good idea. I’d been doing it via Firebug for testing purposes for awhile now.
This is something LETSI should be taking into consideration with SCORM 2.0, though, if Javascript is the primary mechanism, it’s going to be hackable.
I can tell you for 99% of corporate e-Learning, setting lesson_status and score.raw are enough.
It’s certainly an interesting thought (and a potentially useful bookmarklet).
We’ve often discussed with clients the fact that SCORM is ill-suited for high stakes testing. It’s the nature of JS and the web, to some degree.
Is the “web services” approach to a SCORM API that the LETSI folks are discussing the right path here?
@tim
yeah, i think web services could go a long way towards tightening up security. i just haven’t seen any concrete examples from LETSI yet (though i admit i haven’t read all the submitted proposals).
LETSI is just beginning its web services API work, although the is WS binding that BBN developed under contract with ADL that is based on the javascript API.
A community software approach has advantages with respect to maintenance of these API’s and plugging security holes versus trying to put them through an IEEE or other formal standards processes. This is what LETSI is going to try. There is a call on the LETSI project on Wed., March 25. See the http://www.letsi.org/blog for details.
I also did a bit of review of the BBN-developed WSDL here:
http://www.hrinterop.org/node/91
I don’t think many will be surprised about the lack of security that comes along with using SCORM. We’ve always instructed our clients not to use SCORM for their assessments.
What’s new (and frightening) is the idea of putting this in a bookmarklet that a non-technical user can make use of. Thanks for posting this.
As an LMS vendor, it’s made me aware that we’ll need to monitor the session times a little closer (LMS calculated vs. what the SCO reports).
@stefan et al
As developers/vendors, none of us are surprised people can cheat using SCORM because we understand its vulnerabilities. But I’d be willing to bet our respective clients don’t have a clue just how insecure it is… I imagine they expect the course to be secure because they had to log in just like they would if they went to a banking site. They might even see an HTTPS protocol and padlock icon, deepening the impression that their course/data is safe.
No one says “oh, by the way, this system is very easy to hack.” We just kind of stay mum on the subject and point out that it isn’t likely anyone would try to hack it.
@Tom King – SCORM _is_ used for legal compliance training. Lots of it.
Interesting post. I’m not surprised at all. As an LMS vendor we are well aware of this and don’t recommend user to use SCORM for real assessment or testing. It’s fine for selftests. Since the score is calculated on the client it is also obvious that the correct answers are on the client as well (maybe hidden in a flash file but this can be decompiled as well).
In the open source LMS OLAT we implemented a separate assessment infrastructure based on IMS QTI that does all the answer and score calculations on the server. IMHO this is the only way to prevent users from cheating and thus is can also be used for university grades etc. (which is actually done).
Can’t I set up SCORM / AICC so that it reports the interactions and requires the LMS to compute the score? This is what Florian says OLAT is doing with QTI, but couldn’t it also be done using SCORM or AICC if desired?
RE: –> No one says “oh, by the way, this system is very easy to hack.” We just kind of stay mum on the subject and point out that it isn’t likely anyone would try to hack it.
This is very true, but an experienced developer could very well add layers of security to prevent their courseware from being compromised. Assessment data could be loaded in through launch_data so without a deep understanding of how the content was architected I don’t see this happening frequently. Also, sequencing rules can easily prevent someone from simply using javascript to set cmi data model element values. Doesn’t it really depend on how securely the developer built the content? Without a proctor, there probably is potential for cheating! I’m sure there might be a few savvy learners out there that could figure out, but it would probably take longer than it would to actually finish the content itself. Remember, assessments are currently outside the scope of SCORM.
All good points.
As Jason mentions, it really depends how you build your course. For instance, if the course is pass/fail yet the learner has a “completed” status with a score of 100, that’s a big red flag that something’s not right.
If the course uses interactions yet none of them have reportable data, that’s another red flag. So part of the solution (for now) may be to build more comprehensive reports that identify/flag irregular data.
The best most of us can do at the moment is obfuscate things… make it hard for cheaters to figure out how the course and/or quiz is structured.
Might I also note that ANY online course can be cheated simply by opening another browser window and looking up the answers? We’ve all heard of co-workers sitting side-by-side giving each other answers. I even know of a department that posted the answers to an online quiz on the break room wall so everyone who worked there could zip through it. They considered the course inconvenient.
Question – I am not able to get your demo to work as it is too long to create an IE bookmark. Does the demo work in IE?
@Matt
Nope. The code works in IE, but as you learned, IE won’t allow a bookmarklet that large (IE uses a character limit on bookmarklets).
Before I converted the code to a bookmarklet, I simply placed the code into an href link in an HTML file and tested it directly from the HTML. In that situation, it worked in every browser I tested.
FYI I did all of my bookmarklet testing in Firefox.
We do need more security options in SCORM to “enhance” it. I totally agree there is potential for compromising a simplistic SCORM course. However, this is more of an “accountability” issue than it is a “security” issue in my opinion. It is the content developer’s responsibility to be knowledgeable enough about SCORM to prevent this type of scenario from happening. I wouldn’t call this cheating, but when you’re talking about a course that only requies cmi completion status or success status and/or a score to be set, then it’s most likely a page turner. In SCORM 2004, you could use some simple rollup rules to prevent the course from rolling up unless a certain condition is met (independent of the completion,success status and scaled score of one sco). A security best practices guide from ADL would be useful, but you will still run into this “accountability” problem from time to time.
The biggest question is; Would you really want to risk your score to a Javascript hack? I wouldn’t. Although, the question of “is it possible to cheat” should be answered with a “no”. There should be no vulnerabilities and no work-arounds. There should also be documentation on securing a SCORM course’s JS layer for developers.
The same goes for SCORM that goes for SOAP. SCORM players are (I’m assuming) always based on authenticated and encrypted (SSL) access.
The person cheating is authenticated as a real person who is paying money to risk losing their tuition because they are an idiot. If a learner doesn’t have the common sense to not tinker with a scored (for grade) assessment it’s just a matter of time before they’re caught. I’d be more worried about students writing the answers on the back of their hand or stealing an answer key. If a student really wants to cheat, they will. With the right detection tools, cheating on a web based test could be made easier to detect than older “analog” methods.
I certainly agree with Jason, unfortunately you can’t program in personal integrity. However, being JavaScript-based, it was inevitable. Yes SCORM 2004 would add some stop-gaps to prevent this;however, we also know the staggering differences in interpretation and implementation of the 1.3.3 RTE on most LMS’es in terms of sequencing and roll-up behaviors. Although I’m glad Phillip identified this, and thankfully as well took the bookmarklet down, it is disturbing all the same. Hopefully, LMS vendors or the ADL developer community at-large can come up with a reasonable work-around.
Phillip would you please e-mail me the bookmarklet code so that I can look at it.
Thanks.
Philip,
Would you mind passing along the bookmarklet (and the uncompressed code if you don’t mind)? I would be curious to test out some of the past LMS implementations I have worked on. I would like for some of my colleagues to see how vulnerable they really are.
Thanks!
Can u give me the bookmarklet, i am curious to see how it is working.
Hi Philip,
Would you mind sharing the bookmarklet. I am interested in testing this.
Thanks.
I work producing ‘elearning content’ for my local college, trying a variety of packages, all of which use SCORM and are integrated into moodle. As this is slowly but surely taking over form paper based examination it absolutely has to be secure, or it make the whole thing pointless.
I would like to try this bookmarklet on our content to see how easy it is. Please could you send me the code?
Hey Philip, this is very interesting to me. I have been assigned to developing/testing e-learning modules and am interested in seeing the code for the bookmarklet for testing purposes.
I would like to have the bookmarklet (and the uncompressed code if you don’t mind?) sent to me please, I am an independent e-learning developer that publishes to many LMS systems based on clients that I develop e-learning for.
@all
Sorry, I’ve stopped handing out the code at this point. It’s not hard to write your own if you want to give it a shot. 🙂
I cant stand SCORM!
Even the guy who invented it thinks it is way overused.