hacking scorm assessments
Tue, Aug 3, 2010
The Sharable Content Object Reference Model (SCORM) standard is designed to allow reusable units of learning material to be used in different Learning Management Systems (LMS). The following diagram gives an outline of what’s involved in getting a Shareable Content Object (SCO) hierarchy from an LMS into a user’s web browser.
The activities contained in the learning unit are linked together using sequencing, which tells the Run-Time which activities to display and when. This combination of activities and sequencing produces an Activity Tree which is described in the manifest file and the entire SCORM package is zipped into a Content Package. The LMS will serve the content of this package to the user’s browser, where the Run-Time will do its job of displaying and running the various activities in the browser.
This post deals with the lowest layer in the SCORM stack, the Run-Time, where, according to the SCORM standard, the Run-Time:
Having outlined the vulnerability, the security implications are put in perspective here with an ADL response here. ADL recommend contacting your LMS provider to see what steps they are taking to mitigate or detect hacks like this.
Some historical perspective is provided by these interesting articles: