Several blogs, forums, and Web sites recently highlighted a SCORM content vulnerability. The vulnerability they highlight is not new, nor did it originate with SCORM. It exists within the SCORM Run-Time API, which is based on an IEEE Standard(1). Some version of an ECMAScript based API has existed in all versions of SCORM since SCORM 1.2 was released in 2001. Given the flexibility of ECMAScript within the browser environment, this vulnerability allows technologically advanced users to potentially interfere with learner tracking data communicated from content by directly overriding and/or setting various SCORM data model elements.

ADL contacted the IEEE LTSC about this issue to discuss what actions can be taken to update the current standard or develop a complementary standard that would better enforce data integrity for delivered content. Several SCORM LMS vendors are investigating ways to prevent or detect individuals who leverage this vulnerability. Please contact your vendor directly to determine the actions they are taking.

Like online banking or any other online activity that you want to be secure, you can increase security in your SCORM content, but there is no way to guarantee security. Un-proctored online assessments should be considered a form of “open-book exams” since learners may have technical manuals, books, job aids, Google, or other resources in front of them while they are taking tests.