Celebrate Excellence in Education: Nominate Outstanding Educators by April 15!
A student at our school has found a bit of a "hack" into the muted grade lock down that I would like the share with the community. The student discovered the hack, told us about it, and even made a YouTube video showing the exploit.
The way it works:
A student viewing his/her grades can input predictions about their grades to fudge with the numbers. This even works when a grade is muted. So if a 100 point test has yet to be graded, then a students can "guess" they will receive a 90 and see how this score will effect their overall grade.
Our student discovered that when guessing grades an arrow will appear allowing the student to revert his grade back to the original value. However, if the student guesses his/her grade correctly, then the arrow does not show up. Essentially telling the student that his guess was correct.
See video: https://youtu.be/ftSN2LjEa3U
Solved! Go to Solution.
@holmer , first of all, I'm so impressed that your student not only reported this but took the time to create a media artifact documenting it. We all want to thank him!
Also, have you and your student submitted support tickets about this? Support needs to have a look at this to verify the behavior, and if it's true that this is an existing hack that can be exploited in this fashion, they will fix it.
@holmer , thanks for sharing this hack! I doubt most students would figure it out, but it's good to know that it's out there!
Did not submit support ticket yet.
Please do, @holmer , and please ask your student to do so as well, ideally directly from his Grades page. We will want to verify and fix this!
@holmer , first of all, I'm so impressed that your student not only reported this but took the time to create a media artifact documenting it. We all want to thank him!
Also, have you and your student submitted support tickets about this? Support needs to have a look at this to verify the behavior, and if it's true that this is an existing hack that can be exploited in this fashion, they will fix it.
Did not submit support ticket yet.
Please do, @holmer , and please ask your student to do so as well, ideally directly from his Grades page. We will want to verify and fix this!
@holmer , thanks for sharing this hack! I doubt most students would figure it out, but it's good to know that it's out there!
Hi Holmer,
Thank you for reporting this. This issue has now been addressed.
We love to hear about this kind of thing because we need input from lots of people to make Canvas as secure as it ought to be. If you run across anything else like this down the road, please report it as a Support ticket. The Canvas Community is an open forum, and putting it here means anybody (including, potentially, students) can find it and exploit it. We’re all about openness, but when it comes to security and privacy, we encourage folks to use discretion. :wink:
I’d also recommend encouraging your students to submit issues like this that they find privately, for the same reason. Maybe the student would like to participate in our open security program, which runs through BugCrowd. Folks who find issues like this one report details about them responsibly and confidentially through BugCrowd; we fix the problems and the reporter enjoys the benefits of our bug bounty program (we'd love to send your students coveted swag items).
Anyway, thanks again. We very much appreciate it. Please let us know if you have questions.
There are a couple of students at our school that I imagine might be interested in participating in something like BugCrowd. Could you provide information on how students might join BugCrowd in order to work on Canvas?
Hey Lee,
Here is a link to Instructure's bugcrowd landing page: https://bugcrowd.com/customers/instructure
Here is more info on how people can get involved: https://bugcrowd.com/join-the-crowd
Cheers,
SD
Thank you @holmer for sharing on the community and to the student for sharing this as well. It makes me wonder if there are other hacks are out there that student's haven't shared.:smileyshocked:
Bless them for posting on Reddit, etc.
@hockin just an FYI. I haven't had a student figure it out yet but good to know!
Hi Lindsay,
This particular hack or design flaw has been fixed.
Thanks,
SD
Sounds like this student has a bright future ahead! Wow!!!!!
This not not a hack, it's just basic guessing and bad server design on Canvas's side, you can just keep guessing and get your grade within time,
this is not a hack, a hack would be something like getting into an account or changing major things about classes' pages.
have a nice day
To participate in the Instructure Community, you need to sign up or log in:
Sign In
This discussion post is outdated and has been archived. Please use the Community question forums and official documentation for the most current and accurate information.