Community Help

holmer · ‎05-22-2017

A student at our school has found a bit of a "hack" into the muted grade lock down that I would like the share with the community. The student discovered the hack, told us about it, and even made a YouTube video showing the exploit.

The way it works:

A student viewing his/her grades can input predictions about their grades to fudge with the numbers. This even works when a grade is muted. So if a 100 point test has yet to be graded, then a students can "guess" they will receive a 90 and see how this score will effect their overall grade.

Our student discovered that when guessing grades an arrow will appear allowing the student to revert his grade back to the original value. However, if the student guesses his/her grade correctly, then the arrow does not show up. Essentially telling the student that his guess was correct.

See video: https://youtu.be/ftSN2LjEa3U

Stef_retired · ‎05-22-2017

@holmer , first of all, I'm so impressed that your student not only reported this but took the time to create a media artifact documenting it. We all want to thank him!

Also, have you and your student submitted support tickets about this? Support needs to have a look at this to verify the behavior, and if it's true that this is an existing hack that can be exploited in this fashion, they will fix it.

View solution in original post

kona · ‎05-22-2017

@holmer , thanks for sharing this hack! I doubt most students would figure it out, but it's good to know that it's out there!

View solution in original post

holmer · ‎05-22-2017

Did not submit support ticket yet.

View solution in original post

Stef_retired · ‎05-22-2017

Please do, @holmer ‌, and please ask your student to do so as well, ideally directly from his Grades page. We will want to verify and fix this!

View solution in original post

Stef_retired · ‎05-22-2017

@holmer , first of all, I'm so impressed that your student not only reported this but took the time to create a media artifact documenting it. We all want to thank him!

Also, have you and your student submitted support tickets about this? Support needs to have a look at this to verify the behavior, and if it's true that this is an existing hack that can be exploited in this fashion, they will fix it.

holmer · ‎05-22-2017

Did not submit support ticket yet.

Stef_retired · ‎05-22-2017

Please do, @holmer ‌, and please ask your student to do so as well, ideally directly from his Grades page. We will want to verify and fix this!

kona · ‎05-22-2017

@holmer , thanks for sharing this hack! I doubt most students would figure it out, but it's good to know that it's out there!

scottdennis · ‎05-23-2017

Hi Holmer,

Thank you for reporting this. This issue has now been addressed.

We love to hear about this kind of thing because we need input from lots of people to make Canvas as secure as it ought to be. If you run across anything else like this down the road, please report it as a Support ticket. The Canvas Community is an open forum, and putting it here means anybody (including, potentially, students) can find it and exploit it. We’re all about openness, but when it comes to security and privacy, we encourage folks to use discretion. :wink:

I’d also recommend encouraging your students to submit issues like this that they find privately, for the same reason. Maybe the student would like to participate in our open security program, which runs through BugCrowd. Folks who find issues like this one report details about them responsibly and confidentially through BugCrowd; we fix the problems and the reporter enjoys the benefits of our bug bounty program (we'd love to send your students coveted swag items).

Anyway, thanks again. We very much appreciate it. Please let us know if you have questions.

principal · ‎06-01-2017

There are a couple of students at our school that I imagine might be interested in participating in something like BugCrowd. Could you provide information on how students might join BugCrowd in order to work on Canvas?

scottdennis · ‎06-05-2017

Hey Lee,

Here is a link to Instructure's bugcrowd landing page: https://bugcrowd.com/customers/instructure

Here is more info on how people can get involved: https://bugcrowd.com/join-the-crowd

Cheers,

SD

ProfessorBeyrer · ‎05-23-2017

Thank you @holmer ‌ for sharing on the community and to the student for sharing this as well. It makes me wonder if there are other hacks are out there that student's haven't shared.:smileyshocked:

scottdennis · ‎05-25-2017

Bless them for posting on Reddit, etc.

lgaughan · ‎05-30-2017

@hockin ‌ just an FYI. I haven't had a student figure it out yet but good to know!

scottdennis · ‎05-30-2017

Hi Lindsay,

This particular hack or design flaw has been fixed.

Thanks,

SD

ebarrios · ‎06-01-2017

Sounds like this student has a bright future ahead! Wow!!!!!

DanielWood1 · ‎11-01-2023

This not not a hack, it's just basic guessing and bad server design on Canvas's side, you can just keep guessing and get your grade within time,
this is not a hack, a hack would be something like getting into an account or changing major things about classes' pages.

have a nice day

[ARCHIVED] Student discovered his MUTED GRADE

Archived

Questions

You're signed out

[ARCHIVED] Student discovered his MUTED GRADE

Archived

Questions

Community Help

View our top guides and resources: