First off let me say that writing this post was a very difficult decision for me to make, as I normally try to work with vendors, companies, and organizations to fix issues like this one I am about to disclose without ever really disclosing them to the public, but in this case it just never worked out. I have tried for the last 18 months to contact just about everyone I could think of at Brainbench to disclose this issue to them, but none of my emails were ever returned. I utilized their bug reporting “Contact Us” form several times over this time period, but still no one even acknowledged the receipt of my emails or submissions. I even tried emailing common email addresses such as these: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected] to name a few, but again no response, well unless you count a few bounced emails for accounts that do not exist. I have sent them a copy of “Full Disclosure Policy (RFPolicy) v2.0” a few times telling them they had 5 days to contact me before I release this information, but like I said they never return any of my emails. This to me is just plain ridiculous and irresponsible on their part, as what I am about to provide you all with is information on how their core business objective for providing assessment products is just plain flawed, and cannot be relied on to accurately trust their assessment results.
I have personally been forced to take several of Brainbench’s assessment tests during both the interviewing process and continual certification processes that Brainbench offers for a fee to companies looking to evaluate, assess, and/or validate future and current employee’s skill sets. Here is a direct quote from Brainbench’s website:
Brainbench, a PreVisor company, has served over 5,000 corporate and 6 million individual customers. The company was founded in January 1998 with the same mission it has today: Delivering easy-to-use assessment products that predict success on the job.
Here are some statistics, again copied directly from their website:
So as you can see they really appear to take pride in their ability to provide corporations and individuals with assessments that can aid in selecting the right candidate for a position or validate a current employee’s skill set. This is why I could not comprehend their actions or lack of actions when I attempted to contact them in regards to this issue, which defeats their assessment engines validity. Well I think I have provided enough background details and such, so lets get to the meat and potatoes of the issue at hand.
if( !doTimer )
tf = window.setTimeout( “TimerFunc();” , 1000 );
timeLeft = 180 – tcount;
minutes = 0;
seconds = 0;
if( timeLeft > 0 )
minutes = Math.round( ( timeLeft / 60 ) – 0.5 );
seconds = timeLeft – 60*minutes;
if( minutes > 0 )
document.qform.timerbox.value = minutes + ‘ Min. ‘ + seconds + ‘ Sec. Remaining’;
document.qform.timerbox.value = seconds + ” Seconds Remaining”;
document.qform.timerbox.value = “Time Expired”;
// window.status = timeLeft + ” ” + “Seconds Remaining”;
// document.qform.timerbox.value = timeLeft + ” ” + “Seconds Remaining”;
if( timeLeft == 30 )
if( timeLeft <= 30 )
document.qform.timerbox.className = “timertextboxred”;
if( timeLeft <= 25 )
if( timeLeft == 0 )
window.clearTimeout( tf );
timeUp = 1;
if( resetVals )
if( doTimer )
tf = window.setTimeout( ‘TimerFunc()’ , 1000 );
<body topmargin=”15″ leftmargin=”15″ onload=”doOnload(); ” bgcolor=”#ffffff” marginheight=”15″ marginwidth=”15″>
Now is the issue or vulnerability at hand apparent yet? I can think of a few ways to defeat this code, but I am only going to demonstrate one very simple and straight forward method for “Stopping” and “Starting” the timer at will. To stop the timer simply copy and paste the following code into the address/location bar of your browser and hit the “enter” or “return” key while you are taking the assessment/test and the timer will stop:
To start the timer back up simply change the “false” parameter to “true” and hit “enter” or “return” to execute the code once again. Like magic the timer will start up again where it left off.
Very simple right? So what harm does something like this do? Well your not going to get “root” or “own” Brainbench, but now how valid are these assessments and/or exams? By stopping the timer at will a test/assessment taker can easily go look up the answer to a question he or she has absolutely no knowledge of, and score a perfect score in areas that the test/assessment taker has no knowledge of. This completely defeats the validity of the assessment, and now these certifications and/or assessment results can no longer be trusted. Now if I was an organization reading this article and utilizing these assessments I would immediately contact my sales representative and pose the same question, but hey that is just me. If I took pride in holding these certifications and paid to take these assessments, I would also call or email Brainbench to pose this question to them as well. This really hurts and/or questions the overall validity of these assessments and certifications. Maybe if enough people and/or organizations seek out Brainbench’s response and/or support in regards to this matter it can be fixed quickly.
So how can they fix this? Simply validate or remove the client side “timer” input variable. Removing it would ensure the timer variable has no impact on the actual exam time and/or timer. To validate the timer a server side function and/or timer to compare with could be utilized. The visual timer makes for a good reference for the test/assessment taker, and should not be removed in my opinion, just don’t trust it to be accurate. Removing the “doTimer” variable would be a good idea as well, since I really can’t come up with a valid reason for having this functionality or variable. Just start the timer and let it run, no need to check if the timer should be running when a test/assessment taker is actually taking the exam. I could be wrong here since I didn’t write the code, but then again I could be right too.
Just as a historical reference since I am optimistic that Brainbench will fix this issue in the near future I have recorded a video demonstrating that this vulnerability really did work, and as of today still works.