Could your e-learning be stealing data from your other applications?
A corporate network is made up of numerous data systems required to carry out the day-to-day activities of the business. The majority of these systems are secured. Robust policies are put in place based upon NIST or ISO27001 that incorporate Firewalls, Intrusion Detection Systems and other hardware and software that can be used to detect and stop an attacker. Penetration Testing can be carried out to test this security. Then finally there’s training. Technical training is provided for the relevant resources and cyber awareness training is given to general staff members to prevent them from inadvertently letting in malicious applications. Cyber awareness training is often distributed via e-learning. But what if the e-learning itself were carrying out the attack?
E-Learning – How powerful is it?
E-Learning authoring tools allow e-learning modules to be created and published, which are then stored on a corporate Learning Management System (LMS) such as Moodle, Blackboard or Cornerstone. The modules are then consumed by the user as part of their learning. The LMS will track progress and record any results. The modules themselves are largely composed of HTML and JavaScript and therefore inherit the same vulnerabilities as web pages. The two main authoring tools in circulation are Articulate Storyline and Adobe Captivate. Both applications contain their own editing functionality that acts like a high-level programming language and allows the authors to manipulate objects. Additionally, both editing tools allow the addition of JavaScript.
What are the threats?
There are two potential threats that could use e-learning as a delivery platform. These are:
· Deliver a malicious payload into the corporate network
· Steal corporate date from other applications.
When users access e-learning they are accessing a webpage provided by a Learning Management System. This means that they could be exposed to malicious downloads. It would be very easy to create an object in e-learning that a user must click and then direct them to a malicious URL as a result. The reality is that the majority of e-learning would be developed by a professional organization or developed in house and therefore the likelihood of malicious content being added to e-learning would be quite slim. Additionally, Firewalls and Intrusion Detection Systems would download updates on a regular basis and prevent internal clients from accessing networks that are perceived as threats.
The second threat is more interesting. Particularly for organisation that deal with defence or have valuable corporate data. In this attack we would aim to steal data and deliver it to a third party. To carry out this attack, there are two stages:
· Access and obtain corporate data
· Transmit or deliver the content to the attacker’s external system.
The first part of this attack can be carried out passively and therefore has the potential to go undetected.
Stealing Corporate Data
Many corporate organizations rely on web-based applications. These can be used for HR applications such as timesheets, fault reporting or accessing company data. Web applications often make use of storage in the browser called localstorage or sessionstorage. This storage utility of a corporte web application could be used to store important information such as password or user information. This may or may not be encrypted. If an e-learning module could access local storage of the web application then it may be possible to steal registry keys, passwords etc. Encrypted passwords could be decrypted at a later time. We conducted an experiment to see if it were possible to write some simple code that would sit inside an e-learning module that could steal local storage and session storage information from a corporate application that was running on the same machine.
Experiment: Access Local Storage Information
Browser Storage comes in two flavours and these are sessionStorage and localStorage. As the name suggests, sessionStorage will only store data for the duration of the session. Therefore, this has limited value in terms of accessing useful information. localStorage will store data continuously, however data can only be accessed from the same origin . We wish to investigate if it’s possible for an e-learning module to use and access localStorage from a corporate web application that was being ran on the same machine.
1. Creating a Dummy Web Application:
To carry out this attack we created a dummy webpage. The whole purpose of the webpage was to store local information in the browser.
Code: This code for the web page contained the following two lines of JavaScript.
localStorage.setItem("Colour4","black");
localStorage.setItem("Colour5", "white");
This created two items in the web application containing the colours white and black. We then ran an e-learning session from the same browser but in a different tab. The aim of the session was to investigate if it were possible to extract localStorage information that was being used by the webpage inside the e-learning module.
Code: To demonstrate accessing local storage, the following script was added to an e-learning page
localStorage.setItem("Colour1", "red");
localStorage.setItem("Colour2", "blue");
localStorage.setItem("Colour3", "green");
window.open("", "reference", "height = 700,width=1024,left=25,top=25").document.write( " Local Storage Length :" + localStorage.length + "<br>The item stored in Colour 2 is:" + localStorage.getItem("Colour2"));
Outcome: The code was tested, and the e-learning module identified the number of objects stored both inside the e-learning and the web application. The module was able to retrieve an item that was being used inside the web application from localStorage.
Having proved that we can steal content from a web application running on the same browser. The next test was to see if we could take this information and transmit it to an external resource. This proved quite simple. E-Learning inherits the features of Javascript and can therefore utilise standard functionality such as Post to transmit information to a server. We were therefore able to transmit this information to a server for retrieval at a later date by other applications.
Additional experiments also proved an elearning module was capable of carrying out web fingerprinting and therefore able to determine browser type and any plugins.
Conclusion
The likelihood of an attack carried out from inside e-learning remains low, however the possibility is there. For information on technical training development or for more information regarding secure e-learning development of any topic, please contact: www.esperienzalearning.co.uk
Darren Smith completed his MSc in Cyber Security with the University of York in 2021. For his dissertation he investigated the Cyber Security of E-Learning and Learning Systems.