hacking scorm assessments

Tue, Aug 3, 2010

The Sharable Content Object Reference Model (SCORM) standard is designed to allow reusable units of learning material to be used in different Learning Management Systems (LMS). The following diagram gives an outline of what’s involved in getting a Shareable Content Object (SCO) hierarchy from an LMS into a user’s web browser.

SCORM overview

The activities contained in the learning unit are linked together using sequencing, which tells the Run-Time which activities to display and when. This combination of activities and sequencing produces an Activity Tree which is described in the manifest file and the entire SCORM package is zipped into a Content Package. The LMS will serve the content of this package to the user’s browser, where the Run-Time will do its job of displaying and running the various activities in the browser.

This post deals with the lowest layer in the SCORM stack, the Run-Time, where, according to the SCORM standard, the Run-Time:

“uses a well-defined algorithm to locate an ECMAScript (JavaScript) API that is provided by the LMS. This API has functions that permit the exchange of data with the LMS”

and it’s that Javascript API, exposed by the LMS and accessible via the browser, that is the key to hacking SCORM assessments. We can think of a SCORM URL as a crude type of web service but whereas “normal” web services may expose a user interface (UI) with the processing logic for user entered data resident on the server, the SCORM service disgorges all functionality in the web request and consequently, the processing logic is contained in the Javascript API that is sent to the browser. Hence, SCORM logic, such as calculating assessment scores, is performed in the browser. The following diagram outlines the process of gaining 100% in a SCORM assessment.

SCORM javascript hack

It all boils down to an exploit, written in Javascript, that is added to the browser as a bookmarklet. When the user accesses the bookmarklet during a SCORM session, the exploit code is run inside the browser, recording a 100% score in the assessment.

Having outlined the vulnerability, the security implications are put in perspective here with an ADL response here. ADL recommend contacting your LMS provider to see what steps they are taking to mitigate or detect hacks like this.

Some historical perspective is provided by these interesting articles:

comments powered by Disqus