Cheating on SCORM Courses – It’s Not Difficult

Since I’ve spent much of the last 10 years working in the slightly paranoid world of information security, I’ve always been concerned about SCORM’s dependence on JavaScript for communicating with a LMS. It’s always seemed to me that it would be very vulnerable to being hacked. And, a couple of months ago, Philip Hutchison at pipwerks created a stir by demonstrating one way to do this.

As he says:

SCORM – the most common communication standard in e-learning – is fairly easy to hack. It uses a public JavaScript-based API that is easy to tap into and feed false data, and because it’s a standard, you know exactly what methods and properties are available in the API. It doesn’t matter what vendor or product produced the course (Articulate, Adobe, etc.) ? if it uses SCORM, it’s vulnerable

He’s developed:

… a proof-of-concept bookmarklet that when clicked will set your SCORM course to complete with a score of 100 (works with both SCORM 1.2 and 2004).

That’s worrying if you’re a training manager, and you’re depending on SCORM courses to prove your compliance with laws and regulations!

You can find more details (but NOT the exploit code!) on this page on Philip’s website. The ADL has also published some suggestions for ways to make assessments secure from this form of hacking, but it’s important to understand the problem really stems from the use of JavaScript as the communications mechanism.

Does this make SCORM useless? Not really, as long as you’re prepared to accept the limitations inherent in asynchronous WBT and in unproctored assessments. Any unsupervised online assessment should always be considered to be an “open-book” exam since the student could be using books and/or manuals, web access to resources such as Google, or even just a helpful coworker sitting beside him/her during the test. You’ll find a more detailed discussion of this on Mike Rustici’s blog.

This entry was posted in Further Reading. Bookmark the permalink.

1 Response to Cheating on SCORM Courses – It’s Not Difficult

  1. Pingback: AICC or SCORM: Which Is Best for Packaging E-Learning Content? | Accelerated Business Results

Leave a Reply

Your email address will not be published. Required fields are marked *