Major security flaw in ExamSoft software, used to administer exams at numerous law schools and even for 42 out of 50 state bar examinations in the United States.

ExamSoft test-mode disables access to all applications outside the test-taking software. It then saves a file that is uploaded to the exam servers for grading. In test-mode, ExamSoft does not disable keyboard hotkeys for changing between keyboard layouts. Thus one can toggle between English layouts (for example, qwerty, dvorak, etc.) and layouts for other languages. So far nothing wrong.

But that is where the vulnerability lies. Keyboard layouts are fully customizable and users can create their own layouts, whereby keystrokes are paired with an arbitrary string of text. Keystrokes can thus be paired to enter full sentences, potentially including rule statements or other notes to facilitate cheating. Different operating systems might have different limits for the permissible length of data associated with a keystroke. It has not been investigated. ExamSoft should create a "safe list" of approved keyboard layouts or something of the sort.

This has not been tested with custom keyboard layouts, except it is confirmed that switching between legitimate operating system keyboard layouts is possible in ExamSoft -- thus opening the path to illegitimate layouts.