AnsweredAssumed Answered

Are your students able to hack a hidden People page?

Question asked by Bridget Irish on Sep 6, 2017
Latest reply on Sep 13, 2017 by Anthony King

We just discovered that at least one student has been using a hack to access a hidden People page

(meaning the People navigation link is disabled/hidden from students in the Course Navigation Menu).


The hack is adding "/users" at the end of the site's URL. This hack works via Student View as well.


The student gaining access can see other students’ names at the hidden People page
but not other students' college usernames or ID numbers.


From testing in both Student View and masquerading as an active student,
the hack does not appear to work with other hidden navigation areas,

such as /pages, /files, or /quizzes.

When tried, each resulted in a message "That page has been disabled for this course."


I have submitted a ticket with Canvas Support, Case 02367946,
and wanted to alert other schools about this issue in the meantime.


Thank you,

Bridget Irish


Curricular Technology Support | Canvas Admin
The Evergreen State College