[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Secure Exam Proctor

Version 1.5.26023.31 View in Chrome Web Store

Last scanned: 3 days ago | force re-scan

Extension Details

Developer: proctorio.com

Rating: 1.1 ★ (5.6K ratings)

Users: 3,000,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has 3 million users, indicating widespread adoption in educational institutions. Proctorio.com is a known company in the online proctoring industry, providing legitimacy to the extension. However, the extremely low rating of 1.1 out of 5 stars from 5,600+ reviews is a major red flag, suggesting significant user dissatisfaction with the extension's behavior or functionality.

Concerns:

The extensive permission set is extremely invasive, even for a proctoring tool. While exam proctoring requires monitoring capabilities, several permissions appear excessive: management (controlling other extensions), proxy settings modification, privacy settings access, and unlimited storage. The broad host permissions combined with webRequest interception creates potential for comprehensive web traffic monitoring beyond exam contexts. The unsafe WebAssembly execution policy introduces additional security risks. Most concerning is the combination of system-level access (CPU, memory, display) with network interception capabilities and clipboard modification.

Recommendations:

Given the critical risk level, install this extension only in a completely separate Chrome profile dedicated exclusively to exam-taking. Never use this profile for personal browsing or accessing sensitive accounts. Immediately remove the extension after completing required exams. Consider using a virtual machine for additional isolation. Be aware that this extension has extensive monitoring capabilities that extend far beyond typical educational software. Students should verify with their institution whether alternative proctoring methods are available, given the significant privacy and security implications of this tool.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: clipboardWrite

This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: downloads

This extension has the downloads permission. Can download files and access download history. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: management

This extension has the management permission. Can manage other extensions. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: privacy

This extension has the privacy permission. Can modify privacy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: proxy

This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

HIGH

Unsafe WebAssembly Execution

This extension's Content Security Policy allows 'wasm-unsafe-eval', which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations.

MEDIUM

Medium-Risk Permission: geolocation

This extension has the geolocation permission. Can access your location.

MEDIUM

Medium-Risk Permission: notifications

This extension has the notifications permission. Can show notifications.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

alarms
tabs
scripting
storage
unlimitedStorage
clipboardWrite
webRequest
declarativeNetRequest
webNavigation
management
browsingData
cookies
tts
geolocation
notifications
desktopCapture
proxy
system.cpu
system.memory
system.storage
system.display
downloads
power
tabCapture
privacy
offscreen
sidePanel

Optional Permissions:

downloads.open

Host Permissions:

ws://*/*
wss://*/*
<all_urls>

Content Security Policy:

extension_pages: script-src 'self' 'wasm-unsafe-eval'; object-src 'self';

Embedded URLs (249 total):

Page 1 of 4

Raw Manifest

{
  "name": "__MSG_extension_title__",
  "icons": {
    "16": "webassets/proctor--v3-16.png",
    "48": "webassets/proctor--v3-48.png",
    "128": "webassets/proctor--v3-128.png",
    "300": "webassets/proctor--v3-300.png"
  },
  "action": {
    "default_icon": "webassets/proctor--v3-128.png",
    "default_popup": "assets/GEVb.html",
    "default_title": "__MSG_extension_title__"
  },
  "version": "1.5.26023.31",
  "background": {
    "service_worker": "/assets/Js2Q.js"
  },
  "side_panel": {
    "default_path": "assets/sidepanel.html",
    "openPanelOnActionClick": false
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_extension_description__",
  "permissions": [
    "alarms",
    "tabs",
    "scripting",
    "storage",
    "unlimitedStorage",
    "clipboardWrite",
    "webRequest",
    "declarativeNetRequest",
    "webNavigation",
    "management",
    "browsingData",
    "cookies",
    "tts",
    "geolocation",
    "notifications",
    "desktopCapture",
    "proxy",
    "system.cpu",
    "system.memory",
    "system.storage",
    "system.display",
    "downloads",
    "power",
    "tabCapture",
    "privacy",
    "offscreen",
    "sidePanel"
  ],
  "devtools_page": "assets/YrEf.html",
  "default_locale": "en",
  "host_permissions": [
    "ws://*/*",
    "wss://*/*",
    "<all_urls>"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "downloads.open"
  ],
  "minimum_chrome_version": "109",
  "content_security_policy": {
    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';"
  },
  "declarative_net_request": {
    "rule_resources": [
      {
        "id": "ruleset_1",
        "path": "webassets/blocking.json",
        "enabled": true
      }
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "assets/eb3b642.js",
        "webassets/*.woff",
        "webassets/*.svg",
        "webassets/*.gif",
        "webassets/*.webp",
        "webassets/*.png",
        "webassets/*.html",
        "webassets/*.css",
        "webassets/*.xml",
        "webassets/*.json",
        "assets/helpers/*.js"
      ]
    }
  ]
}

by ✦ Astarte

Secure Exam Proctor

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (249 total):

Raw Manifest

Detections

Manifest Findings

https://github.com/zloirock/core-js	https://github.com/Daninet/hash-wasm
https://www.fontsquirrel.com/license/homemade-apple	http://www.apache.org/licenses/LICENSE-2.0
http://usablica.github.io/intro.js/	https://openjsf.org/
https://github.com/jquery/jquery	https://github.com/lit/lit
https://github.com/pieroxy/lz-string	https://github.com/google-ai-edge/mediapipe
https://github.com/mcollina/minimist	https://github.com/janl/mustache.js
http://opencv.org/license.html	https://github.com/webcomponents/custom-elements/tree/master
https://github.com/webcomponents/shadycss/tree/master	https://github.com/webcomponents/polyfills/tree/master/packages/webcomponentsjs
http://proctorio.zendesk.com/hc/articles/202911160	http://proctorio.zendesk.com/hc/articles/203076064
https://proctorio.zendesk.com/hc/articles/202384890	https://proctorio.zendesk.com/hc/articles/202164014
https://proctorio.zendesk.com/hc/articles/200287479	https://proctorio.zendesk.com/hc/articles/203165960
https://proctorio.zendesk.com/hc/articles/115000505932	https://proctorio.zendesk.com/hc/articles/203014064
https://proctorio.zendesk.com/hc/articles/204198197	https://proctorio.zendesk.com/hc/articles/202384390
https://proctorio.zendesk.com/hc/articles/204263178-Why-do-I-have-to-share-my-screen-with-Proctorio-	https://proctorio.zendesk.com/hc/articles/201147600
http://proctorio.zendesk.com/hc/articles/202881214	https://proctorio.zendesk.com/hc/articles/202111634
http://proctorio.zendesk.com/hc/articles/202883304	https://proctorio.zendesk.com/hc/articles/201147610
https://proctorio.zendesk.com/hc/articles/201147620	https://proctorio.zendesk.com/hc/articles/202259930
https://proctorio.zendesk.com/hc/articles/202659744	https://proctorio.zendesk.com/hc/articles/115000769972
https://proctorio.zendesk.com/hc/articles/200706535	https://proctorio.zendesk.com/hc/articles/202881214
http://chrome.blogspot.com/2015/11/updates-to-chrome-platform-support.html	https://proctorio.zendesk.com/hc/articles/200826404
https://proctorio.zendesk.com/hc/articles/204440037	https://proctorio.zendesk.com/hc/articles/216251457
https://proctorio.zendesk.com/hc/articles/203150140	https://proctorio.zendesk.com/hc/articles/4414095635853
https://proctorio.zendesk.com/hc/articles/205312568	https://proctorio.zendesk.com/hc/articles/206089927
https://proctorio.zendesk.com/hc/articles/203045034	http://proctorio.zendesk.com/hc/articles/202919260
http://proctorio.zendesk.com/hc/articles/200761954	http://proctorio.zendesk.com/hc/articles/200761964
https://proctorio.zendesk.com/hc/articles/203092698	https://proctorio.zendesk.com/hc/articles/200714395
https://proctorio.zendesk.com/hc/articles/	https://proctorio.zendesk.com/hc/articles/115000493711
https://support.google.com/chrome/answer/95414	https://proctoriostatus.com
https://proctorio.zendesk.com/hc/articles/115000760451	https://proctorio.zendesk.com/hc/articles/13569970444429-360-degree-view-of-the-exam-environment
https://proctorio.zendesk.com/hc/articles/13568378003341-Floor-Scan	https://proctorio.zendesk.com/hc/articles/13570212641165-Desk-Scan
https://proctorio.zendesk.com/hc/articles/13570462634381-Monitor-Scan	https://proctorio.zendesk.com/hc/articles/13568758290317-Ceiling-Scan
https://proctorio.zendesk.com/hc/articles/13569082799885-Under-the-Desk-Scan	https://proctorio.zendesk.com/hc/articles/13849725002765-Items-not-permitted-Notes
https://proctorio.zendesk.com/hc/articles/13572018967693-Items-not-permitted-Writing-utensils	https://proctorio.zendesk.com/hc/articles/13849490847117-Items-not-permitted-Books
https://proctorio.zendesk.com/hc/articles/13571069957133-Items-not-permitted-Food	https://proctorio.zendesk.com/hc/articles/13570968888333-Items-not-permitted-Drinks
https://proctorio.zendesk.com/hc/articles/13849597473549-Items-not-permitted-Calculators	https://proctorio.zendesk.com/hc/articles/13849664544013-Items-not-permitted-Mobile-devices
https://proctorio.zendesk.com/hc/articles/13849688073357-Items-not-permitted-Smoking	https://proctorio.zendesk.com/hc/articles/13570633246349-Items-not-permitted-Public-testing-area
https://proctorio.zendesk.com/hc/articles/360042737011	https://proctorio.zendesk.com/hc/articles/29892925399053
https://proctorio.com/about/privacy	https://proctorio.zendesk.com/hc/articles/210102628
https://proctorio.zendesk.com/hc/articles/9209847334157-Record-Environment	https://proctorio.zendesk.com/hc/articles/360002439311
https://proctorio.zendesk.com/hc/articles/202112044-Why-does-Proctorio-set-a-password-on-the-exam	https://cdn.proctorio.com/media/de/bedingungen.pdf