Skip to main content
Back to Projects
Security ResearchWindowsmacOSWebRTCResponsible DisclosurePoC

Invisible Window Research

A 12-page peer-reviewed paper documenting a critical, systemic vulnerability in WebRTC-based exam proctoring software. Operating systems expose documented APIs — SetWindowDisplayAffinity on Windows and NSWindow.SharingType.none on macOS — that allow any application to render its window invisible to screen capture while remaining fully visible on the physical display. Proctoring systems that rely on screen capture for integrity enforcement are structurally bypassed. The research achieved 100% evasion across all tested platforms with no detectable artifacts.

Repo

01. Problem

Remote exam proctoring systems detect prohibited content by capturing the student's screen via WebRTC. If an OS-level API can silently exclude a window from all capture APIs — without any privilege escalation, kernel modification, or detectable side effect — the integrity guarantee offered by these systems is fundamentally broken.

02. Solution Overview

  • Surveyed SetWindowDisplayAffinity (Win32) and NSWindow.SharingType.none (macOS) — both documented in official SDK references
  • Built PoC implementations in Win32 C (Windows) and Swift (macOS) demonstrating full screen-capture evasion
  • Tested against major WebRTC-based proctoring platforms on Windows 10, Windows 11, macOS 14, and macOS 26.3.1
  • Followed 90-day responsible disclosure: proctoring vendors (Jan 2026) and OS vendors (Feb 2026) before public release

Build

Tech Stack

Win32 C (Windows PoC)Swift (macOS PoC)LaTeX (12-page paper)Python (reasoning engine / MCP server)
  • SetWindowDisplayAffinity (Windows) — excludes window from all screen capture APIs
  • NSWindow.SharingType.none (macOS) — hides window from ScreenCaptureKit / CGWindowList
  • PoC implementations for Windows 10/11 and macOS 14 & 26.3.1
  • MCP-server-based AI reasoning engine for research methodology

Secure

  • Full responsible disclosure: proctoring vendors notified January 2026
  • OS vendors notified February 2026
  • Public release after 90-day disclosure window (March 2026)
  • PoC limited to documented, read-only OS APIs — no kernel exploits
  • CC BY 4.0 arXiv preprint with 51 citations

03. Proof & Verification

Verified Claims

  • >100% evasion rate: window remained visible on physical display, absent from all capture streams
  • >No detectable artifacts: proctoring session logs showed clean state throughout
  • >macOS 26.3.1 confirmed vulnerable despite ScreenCaptureKit changes introduced in macOS 15
  • >Linux (X11/Wayland) confirmed NOT vulnerable — no equivalent display affinity API exists
  • >12-page paper with 51 citations accepted as arXiv preprint under CC BY 4.0

Project Links

Source Code