Law Schools

ExamSoft Responds To Multiple Reports That Software Compromises Security

Applicants are seeing passwords hacked after downloading the software, but the company says it's coincidental.

By  
on

We’re closing in on the national day of reckoning when many of the largest jurisdictions in the country are going to hold simultaneous online bar exams on the same ExamSoft platform that got tripped up running the modest Michigan bar exam earlier this summer.

At the time, ExamSoft told the world that its problems weren’t caused by its own shortcomings but by a sophisticated cyberattack from shadowy actors with no apparent motive. What would be the point of crashing the bar exam? Even in the NCBE’s most outlandish fever dreams, diploma privilege advocates have no reason to undermine the online bar exam since they know full well the only lesson bar examiners would take from such a disaster would be the need to hold the exam in person as quickly and as cramped as possible.

But let’s take ExamSoft at its word that this was an attack and not a design flaw. Well, it’s exactly that messaging that has understandably got people worried that the platform is vulnerable and their personal data along with it. Hence this:

A California examinee reported the same issue to us. Bar Exam Tracker compiled some additional screenshots that applicants are sharing:

And…

Sponsored

This is bad, but the “good” news is that it might not be ExamSoft’s fault. In a statement sent around yesterday, the company explained that this is a feature of Google Chrome — indeed those using other browsers have not reported the issue — and coincidental to downloading the test software:

This password notification alert is unrelated to Examplify download and use. This is a feature in Chrome where the browser automatically scans the user’s saved passwords against security breaches. Any appearance of this message popping up around the time an applicant is downloading the Examplify software is completely coincidental. ExamSoft applications do not store and do not have access to any password information on exam-taker devices.

Hopefully that’s true. Chrome’s password manager can flag you upon entering a password for the first time that this password has been on black market lists in the past and if the new password being used with ExamSoft is something you’ve used for other compromised accounts in the past this is going to be the warning.

But to be clear, this is ExamSoft’s fault for failing to defend against whatever happened in Michigan and then hyping the result as a “sophisticated attack specifically aimed” at their software. They can’t credibly treat people as overreacting when ExamSoft claims they were hacked TWO MONTHS AGO. That’s exactly how you get thousands of nervous students terrified that KGB ninja hackers are out there trying to bust in through ExamSoft and it’s how you seed a panic.

We’ll keep an eye on these reports about compromised passwords.

Sponsored

HeadshotJoe Patrice is a senior editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter if you’re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search.

Topics

, ,