Articulate Storyline 360

No user consent dialog, opt-in mechanism, or opt-out toggle was found anywhere in the decompiled codebase for Raygun error reporting or Gainsight engagement analytics. Both services receive data automatically during normal application use. Error reports include stack traces with file paths and system information. Gainsight tracks user engagement patterns and feature usage. This constitutes data processing without demonstrable legal basis under GDPR Article 6.

Two Gainsight PX API keys are hardcoded for stage and production environments. Gainsight PX is a product analytics platform that tracks feature usage, user engagement patterns, and behavioral data. This data is transmitted to Articulate's Gainsight instance during normal application use without visible user consent.

The application executes Windows Management Instrumentation queries to gather system information including CPU model, RAM capacity, GPU details, disk configuration, and OS version. This data is included in analytics payloads sent to Articulate services. While common for compatibility diagnostics, the collection occurs without explicit user notice.

The application's embedded Chromium browser (CefSharp) exposes full OAuth refresh tokens to JavaScript through host binding methods. Any JavaScript executing in the embedded browser — including redirected AI panel content — can call window.host.GetAuthenticationData() or window.host.GetAuthenticationObject() to retrieve the full refresh token. A refresh token enables persistent account access without re-authentication.

Five Raygun API keys are embedded in the binary for Beta, Canary, Dev, Local, and Stable environments. Error reports sent to Raygun include crash data, stack traces containing file paths and usernames, system configuration, and application state. These keys can be extracted by anyone with access to the binary and used to inject false reports or access the Raygun dashboard.

The AI assistant panel URL is configurable via a Windows registry key (aiUrl). By setting this key to an attacker-controlled server, all JavaScript host API calls are redirected. The attacker's page can then call host.GetProjectInputs() for all course content, host.GetSelectedQuestionData() for quiz answers including correct answers, and host.GetAuthenticationData() for OAuth tokens. This enables silent exfiltration of intellectual property and credentials.

When the AI writing assistant is used, HTML content is logged before and after processing. These logs may contain sensitive course material, proprietary training content, or personally identifiable information embedded in eLearning courses. Log files are written to the local filesystem without user notification.

The application sets a global ServicePointManager callback that accepts ALL certificates without validation, including expired, self-signed, and revoked certificates. This affects every HTTPS connection made by the application — OAuth authentication, analytics, error reporting, content downloads, and AI service calls. Any network attacker can intercept, read, and modify all traffic via a trivial man-in-the-middle attack.

When a URL does not include a protocol scheme, the application defaults to insecure HTTP rather than HTTPS. This affects any user-provided or configuration-specified URL including LRS endpoints, content sources, and external resource links. Combined with the SSL certificate validation bypass, this creates a complete absence of transport security.

A single 13-byte PBKDF2 salt is hardcoded in the Cryptor class and used across ALL installations globally. This salt protects LRS (Learning Record Store) passwords, character asset encryption, published content DRM, and cache encryption. Because the salt is identical everywhere, an attacker can build a rainbow table once and decrypt LRS credentials from any .story file or published course. LRS credentials provide access to learner records containing PII: names, email addresses, scores, and completion data.

The Windows Data Protection API entropy value is hardcoded as a static string across all installations. DPAPI entropy is intended to be a per-application or per-installation secret that prevents other applications running as the same user from decrypting protected data. Hardcoding it means any application with access to this string can decrypt Storyline's protected credentials, including proxy server passwords and saved registry credentials.

User data is transmitted to multiple US-hosted services: errors.articulate.com (Raygun), gainsight.articulate.com (analytics), and id.articulate.com (Okta authentication). For EU customers, GDPR Articles 44-49 require Standard Contractual Clauses or adequacy decisions for transfers outside the EEA. No evidence of such safeguards was found in the application code or documentation.

Across all 83 decompiled assemblies, no privacy policy, data collection notice, or terms of service was found embedded in the application. Users receive no notification within the application about what data is collected, where it is sent, or how to opt out. GDPR Article 13 requires that data subjects be informed at the time of collection.

Articulate provides EU-region endpoints for content services (storyline-components.eu.articulate.com), indicating awareness of data residency requirements. This is a positive step, though analytics and error reporting still route through US endpoints.