Unauthorized Access to Social Media Platforms via External Links on Moodle within SEB

[ormoon-ll]

When using Safe Exam Browser in conjunction with Moodle, a vulnerability has been discovered that allows users to gain unauthorized access to social media platforms. This deviates from the expected behavior where such platforms should be inaccessible to maintain the integrity of the online examination environment.

Steps to Reproduce:

Launch SEB and log in to Moodle.

Locate and click on any external link provided within Moodle course materials or pages.

Once on the external website, navigate to the bottom (or any section) where social media links are typically provided.

Click on any of these social media links, which leads to the respective social media login page.

At this point, a user can log in to the social media platform, thus bypassing SEB's intended restrictions.

Version Information

• OS: [ Windows 11 Home Insider Preview, 22h2
• SEB-Version [ SEB 3.5.0]

This vulnerability suggests that SEB's restriction mechanism can be bypassed by a chain of legitimate website navigations initiated from within Moodle.

[dbuechel]

You'll need to make sure that users cannot do this yourself. You can achieve this by e.g. not displaying links allowing to leave your LMS or adding URL filter rules to your exam configuration. For more information on both topics, please refer to https://safeexambrowser.org/developer/seb-integration.html resp. https://safeexambrowser.org/windows/win_usermanual_en.html#NetworkPane.