Risk of data breach due to URL shared from app with non-expiring verifier

marthazumack
Community Contributor

Last week we discovered a file showing up in Google search results caused by the following:

  • The Canvas student app delivered a file by generating a URL with a "non-guessable" verifier. This URL appears to bypass any permission checks so can be viewed / downloaded in the app in an efficient manner. 
  • This URL was then copied and added to a web page. This web page was then indexed by Google and a link to it, plus summary, was displayed to any member of the public who used the appropriate search term.

The problem occurs because the URL doesn't expire after, say, a few hours which would be what you expect to happen.

L2 support have reported that they've deployed a bug fix and done more work to ensure these URLs won't appear in search results, which is good, but we're still concerned about non-expiring verifiers in URLs.

Has anybody got any thoughts or similar stories to swap?