cancel
Showing results for 
Search instead for 
Did you mean: 
irishb
Community Contributor

Are your students able to hack a hidden People page?

Jump to solution

We just discovered that at least one student has been using a hack to access a hidden People page

(meaning the People navigation link is disabled/hidden from students in the Course Navigation Menu).

The hack is adding "/users" at the end of the site's URL. This hack works via Student View as well.

The student gaining access can see other students’ names at the hidden People page
but not other students' college usernames or ID numbers.

From testing in both Student View and masquerading as an active student,
the hack does not appear to work with other hidden navigation areas,

such as /pages, /files, or /quizzes.

When tried, each resulted in a message "That page has been disabled for this course."

I have submitted a ticket with Canvas Support, Case 02367946,
and wanted to alert other schools about this issue in the meantime.

Thank you,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

19 Replies

You're right about seeing classmates' names in Conversations,  @kona ‌ - although there is one difference between People and Inbox, and that is that Inbox shows display names whereas People does not.  (Which is rather strange since if you click on the student's name in People, the details page shows the display name.)  This is a problem with display names which I wish would be fixed.

One wishes there could be course-level user permission overrides.  That would be a lot of work to implement, though.

Luckily People is now very good with section-only option chosen for the students,  @kblack ‌ so FERPA might not be a problem for cross-listed courses on this issue.  And Inbox is also aware of this setting.

irishb
Community Contributor

Hi Kona,

Thank you for your question and noting the behavior of name availability via the Canvas Inbox/Conversations. 

As  @Nancy_Webb_CCSF  points out, this isn't so much an issue for our college because the Inbox shows students' Display names, rather than registered names which may be very different from their preferred names.

So, that's the main reason many of our faculty have wanted/needed to keep the People page hidden is because it does not accommodate Display names, which can cause issues around Preferred Names versus Registered Names.

BUT - I just learned today that thanks to our school's IT wizards Preferred Names are now feeding into our Canvas instance! And it is an easy process via Registration for a student to use a Preferred Name for their college account.

The case in which we still want to hide the People page is to avoid FERPA issues - this is with our student orientation and housing training sites which contain hundreds of students who are not in the same classes or programs together.

For these sites, I changed the user permissions for the Student role via the sub-account that contains the courses to prevent any hacking by savvy students ; ) and moved other sites that are using the People page into a sub-sub-account under the main sub-account which allows those in the Student role to "See the list of users."

If anyone has any questions about or would like help with this kind of setup, just let me know. : )

Best wishes,

Bridget

Curricular Technology Support | Canvas Admin
The Evergreen State College

irishb
Community Contributor

Hi Ken,

Thank you for your question.

For our curricular sites the issue was not FERPA but Display name/Preferred Name versus registration name, but that has just recently changed and is an exciting improvement for the student experience.

The case in which we do still need to hide/block the People page to avoid FERPA issues is with our student orientation and housing training sites which contain hundreds of students who are not in the same classes or programs together, along with the consideration of any students who may have requested confidentiality.

 

I hope that has answered your question.

Best wishes,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

kblack
Community Champion

Thank you, Bridget--yes it does! As one who has set up several non-course-related Canvas sites myself, I should have thought of some of those.  We allow students to change their display names, as well, but I'm glad I followed this discussion, because it has pointed out some interesting issues.

Best regards,

Ken

View solution in original post

jenny_millea
Community Participant

Student privacy in Canvas is a major issue, IMHO.

At present a student cannot choose what system-generated information is made available to other students. ie all other students in a course can see all courses a student is enrolled in, all sections in a course, and all groups. 

We have experimented with disabling People. However, as described by others this information is still available through the in-box, and also if students are in the same group as another student. 

As well, once this is done students are not able to self enrol in groups and some other interactions are not possible. 

Students should be able to choose what information they wish to display to fellow students. Full stop. End of story. 

Displaying 'nothing' should be the default and students should be able to select what is displayed to other students. 

Not providing this capability also limits the options for staff in using manually created sections for student management purposes (eg an Extensions section could be used for students who have been granted extensions but this information would be available to students, unless the staff member knows to call it something non-descriptive [which is not helpful].

We have discussed this issue with other universities in Australia and they share the same concern. 

This is not something that should need feature requests and voting up, but should be part of any online community-based environment. 

sbeck1
Community Champion

 @jenny_millea ‌, when I masquerade as a student, and select other students from the people page, I'm not able to see what other courses a student is enrolled in. Can you give me more details on this? Thanks!

dwillmore
Community Champion

Unless I am wrong, and I have been wrong before, I don't believe students are able to see another student's courses.  You can allow students to see a list of students in a current course, but no more than that.

I seem to remember that students could view courses under a person's profile with the proper settings enabled, but I think that was Moodle and not Canvas.

arking
Community Participant

An online course where students don't interact would be another use case in which there is no reason to be able to see the course rosters. I don't recommend this kind of training for the most part, especially in a college, but it's out there.

pc21
Community Member

Hiya! Just found this one, and this is pretty unacceptable. If any tool is hidden, students should not be able to access it. In particular, the people tool.