The Proctorio Chrome Extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute resulting in unauthorized interaction with extension functionality.

The Proctorio Chrome Extension contained multiple instances of window.addEventListener('message', ...) handlers that did not validate the sender's origin. Specifically, a listener in the extension's internal messaging bridge accepted messages based solely on the presence of a fromWebsite property without verifying event.origin. This allowed a malicious webpage to use window.open() to open a page where the vulnerable script was injected and send crafted postMessage payloads to the extension's content script, which would then proxy those messages to the privileged background script.

The vulnerability allowed an attacker to send crafted postMessage payloads to the extension's background script from an external origin. However, the practical impact was significantly limited:

• The vulnerable code existed only on unpublished pages for an unreleased feature that was never publicly accessible or indexed by search engines
• Testing by both the researcher and Proctorio confirmed that no payload was identified that could disable security features, expose internal data, or manipulate exam state
• The exploit could not be executed against users during an active proctored exam
• No demonstrated path to bypassing pre-exam checks (such as ID verification or room scans) was confirmed

The finding represents a deviation from secure messaging best practices (missing origin validation), but no working exploit with security impact was demonstrated.