Risk of data breach due to URL shared from app with non-expiring verifier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2024
08:34 AM
Last week we discovered a file showing up in Google search results caused by the following:
- The Canvas student app delivered a file by generating a URL with a "non-guessable" verifier. This URL appears to bypass any permission checks so can be viewed / downloaded in the app in an efficient manner.
- This URL was then copied and added to a web page. This web page was then indexed by Google and a link to it, plus summary, was displayed to any member of the public who used the appropriate search term.
The problem occurs because the URL doesn't expire after, say, a few hours which would be what you expect to happen.
L2 support have reported that they've deployed a bug fix and done more work to ensure these URLs won't appear in search results, which is good, but we're still concerned about non-expiring verifiers in URLs.
Has anybody got any thoughts or similar stories to swap?