Related Ticket: #31 Loop Hole to Start Other Apps
SEB 2.0RC6 on Windows 7
Third-party application access and/or Kiosk mode
Access to Windows Explorer shell
We identified a loophole in SEB2.0RC6 when SEB allow granting optional access to third-party application to tester if the testee allow such.
What then happen is that, in the third-party application (let’s say Notepad), should the tester click on Open File or save As, whilst in the Open File dialog box, with the right skill, the tester has access to the Windows explorer shell and hence able to open any application of choice such as Chrome and viola has access to sites such as Google et al.
Such 'with the right skill is actually elementary such as 1. typing . in the filename box, which causes the list of files panes to show all files or 2. clicking inside the list of file names pane and pressing Ctrl+N to open a Windows explorer shell.
This does not affect SEB materially as student will primarily be taking eAssessment online on a webpage. There will be no access to File Open Dialog windows. Most LMS like Moodle does not provide an option for student/tester to upload a file for a "Quiz". However, this is not the case for a "Submission".
Secondly, SEB has provision for prohibiting undesired application(s) on its block list (Mitigating control). It is also noted that URL filtering (. et al) and url filter is planned for SEB2.0
A Required control is to enable a config selection (click) that will explicitly block all application except for white-list third-party application. Much like a 'need-to-know' control concept.