I put this repo together after reviewing SRMUG-Secure-Browser v1.0.22, an Electron-based exam browser distributed by Eduswitch Solutions. The notes focus on design and implementation issues that affect exam integrity, proctoring reliability, and student privacy.
The review is based on an extracted app.asar bundle. I looked at readable renderer and preload code, bundled JavaScript, native helper binaries, Firebase/WebRTC usage, and the visible client-side exam/proctoring flow.
The compiled main.jsc file was not fully decompiled, so the report calls out that limitation where main-process behavior could not be confirmed from source.
The report tracks 11 issues across renderer trust boundaries, exposed configuration, IPC/message handling, exam-state design, Electron dependency age, and privacy-sensitive data collection.
Severity snapshot:
| Severity | Count | Main Themes |
|---|---|---|
| Critical | 3 | Exposed client-side secrets, unauthenticated message control, answer-key exposure |
| High | 4 | Public privileged globals, weak DevTools lockdown, old Electron, client-writable Firebase state |
| Medium | 3 | Weak VM checks, deprecated request library, GPS collection concerns |
| Low | 1 | Ineffective PrintScreen handling |
| File | Purpose |
|---|---|
SRM_Secure_Browser_Security_Review.md |
Full public review with exploit-ready secrets and bypass steps redacted |
README.md |
Repo overview, scope, severity summary, and remediation guidance |
The public version of this report intentionally avoids publishing live-looking keys or step-by-step exam bypass instructions. The goal is to document architectural weaknesses and help a maintainer, researcher, or reviewer understand what needs to be fixed without turning the write-up into an operational abuse guide.
If you are maintaining a similar Electron-based exam or kiosk application, treat the renderer as untrusted. Sensitive decisions should be enforced by the server or privileged main process, with strict validation at every boundary.
- Move answer keys and grading logic fully server-side.
- Remove hardcoded secrets from renderer code and rotate exposed credentials.
- Replace AES-ECB usage with modern authenticated encryption where encryption is actually needed.
- Validate
postMessageorigins, schemas, and allowed actions. - Remove public privileged globals such as test start/stop controls from the page context.
- Lock Firebase rules to per-student/per-session permissions and validate writes server-side.
- Upgrade Electron and remove deprecated
remoteusage. - Rework privacy-sensitive flows such as geolocation collection with explicit consent and retention rules.