Skip to main content
Volver
Security ResearchWindowsmacOSWebRTCResponsible DisclosurePoC

Invisible Window Research

A 13-page IEEE-format research paper documenting a structural vulnerability in WebRTC-based exam proctoring. Operating systems expose documented APIs — SetWindowDisplayAffinity on Windows and NSWindow.SharingType.none on macOS — that let any application render its window invisible to screen capture while remaining fully visible on the physical display. Proctoring systems that rely on getDisplayMedia() for integrity enforcement are structurally bypassed. Proof-of-concept implementations achieved 100% evasion across all tested platforms, including macOS 26 where the attack was previously assumed mitigated.

Repositorio Read the preprint

01. Problema

Remote proctoring systems detect prohibited content by capturing the student's screen via the WebRTC getDisplayMedia() API. The implicit security assumption is that the captured frame faithfully represents the physical display. This assumption is false. Both Windows and macOS provide documented, publicly supported APIs that exclude application windows from all screen capture pipelines without privilege escalation, kernel modification, or detectable side effects. The integrity guarantee offered by capture-based proctoring is structurally broken.

02. Visión General de la Solución

  • Formalised the trust-boundary violation between the W3C Screen Capture API and the OS compositing pipeline
  • Surveyed SetWindowDisplayAffinity (Win32) and NSWindow.SharingType.none (macOS) — both documented in official SDK references
  • Built proof-of-concept implementations in Win32 C (Windows) and Swift (macOS) demonstrating full screen-capture evasion
  • Evaluated against representative WebRTC proctoring configurations in a controlled lab on Windows 10/11 and macOS 14–26
  • Analysed which behavioural detection mechanisms (gaze tracking, mouse dynamics, process enumeration) can and cannot detect the attack
  • Proposed and assessed five countermeasures, ranging from deployable (flag enumeration) to long-term (hardware attestation)
  • Coordinated OS vendor disclosure: Microsoft MSRC (Feb 2026) and Apple Product Security (Mar 2026) both responded with formal classifications

Construcción

Stack Tecnológico

Win32 C (Windows PoC)Swift / AppKit (macOS PoC)Python (pixel-level forensic verification)LaTeX (IEEE conference template, 13 pages, 53 references)
  • SetWindowDisplayAffinity + WDA_EXCLUDEFROMCAPTURE (Windows 10 v2004+) — excludes window from all screen capture APIs with zero visual artefact
  • NSWindow.SharingType.none (macOS) — hides window from CGWindowListCreateImage and ScreenCaptureKit-backed capture on macOS 14–26
  • Pixel-level forensic verification: 80.27% pixel difference in Windows capture footprint; 1,170,560-pixel macOS capture returned fully transparent
  • Empirical contradiction of the community assumption that macOS 15+ mitigated the attack vector

Seguro

  • Discovery and verification (January 2026)
  • Microsoft MSRC notified (February 2026) — classified as by-design, not a security vulnerability (April 2026)
  • Apple Product Security notified (March 2026) — classified as consistent with documented functionality, not a security issue (March 2026)
  • Public release following OS vendor responses (May 2026)
  • Proof-of-concept source code withheld; available to verified security researchers on request
  • Uses only documented, user-level OS APIs — no kernel exploits, no privilege escalation
  • Aligned with ACM and IEEE codes of ethics and CISA coordinated disclosure guidelines

03. Prueba y Verificación

Afirmaciones Verificadas

  • >100% evasion rate across Windows 10/11 and macOS 14–26, measured over 10,000+ frames per configuration
  • >Zero visual artefacts detected in captured frames (no black rectangles, compositing errors, or flicker)
  • >macOS 26.3.1 remains fully vulnerable despite Apple's documented ScreenCaptureKit changes in macOS 15 — contradicting prevailing community assumptions
  • >Linux (X11/Wayland) confirmed not vulnerable — no equivalent display affinity API exists in tested configurations
  • >Behavioural detection ineffective — gaze tracking (p = 0.41, n = 8) and mouse dynamics fell within normal exam-behaviour variance
  • >Process-level detection theoretically possible but not implemented by any current browser-based proctoring system
  • >Published as Zenodo preprint under CC BY 4.0 — DOI 10.5281/zenodo.20376495 — 13 pages, 53 references, IEEE conference format

Artículos de Investigación

1 Artículo

IEEE-format preprintCC BY 4.0 preprint

The Invisible Window: Exploiting OS-Level Display Affinity to Bypass WebRTC Proctoring Systems

13-page research paper documenting cross-platform screen-capture evasion and coordinated vendor disclosure.

Zenodo2026DOI 10.5281/zenodo.20376495
Descargar Artículo

Enlaces del Proyecto

Código Fuente Artículos de Investigación Read the preprint

Cite this work

Abedini, M. R. (2026). The Invisible Window: Exploiting OS-Level Display Affinity to Bypass WebRTC Proctoring Systems. Zenodo. https://doi.org/10.5281/zenodo.20376495