cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
james_sanzin
Community Champion

Can a student cheat on a Canvas quiz by viewing the source code?

Jump to solution


I was monitoring a few of my students during a quiz and source code was popping up on their screen.  Was  this a glitch due to network lag or something, or were they more than likely cheating?

Tags (2)
7 Solutions

Accepted Solutions
cesbrandt
Community Champion

The answers to the quizzes cannot be found in the source code.

As for whether they were attempting to cheat or not, I couldn't tell you. It's highly unlikely that they would have encountered the source code as a result of lag, but it's also not entirely outside the realm of possibility. All I can tell you is that they can not get the answers from the source code.

If, by some odd chance, they have the permissions and knowledge, they could query the API for the answers, but that's highly unlikely. I would imagine that practically anyone with that level of knowledge and access wouldn't be a student, or would be knowledgeable enough not to bother with cheating.

View solution in original post

james_sanzin
Community Champion

Thanks. I'm trying to figure out why the source code was popping up and what exploits the students are going to try.

View solution in original post

As far as I'm aware, the Instructure network has been running fine the last couple of days. So, unless your school was having network trouble at the time, it's probable that the students were looking for the answers, but I can't say that is the case.

If you're concerned about intentional attempts at cheating, I'd recommend looking into monitoring systems that would allow an authorized user to view the screens of the computers in a designated classroom. Just be aware that such software would need to be identified as being in use by the institution, at least as part of the technology agreement (assuming you have a separate agreement specifically for technology). This is an important legal concern should you seek to pursue it. The students must be aware that their use of the computers can be monitored, in real time, without prior warning in an attempt to prevent cheating.

View solution in original post

cshore
Community Member

This TiKTok Video is claiming it can hack the answer key through the source code. Is his process legit?

https://www.youtube.com/watch?v=WatoompIRik

View solution in original post

0 Kudos
cesbrandt
Community Champion

No, that video is blatantly fake and is easily testable.

 

The first clue is the excessive amount of cuts in the video. If it were truly a walkthrough on how to cheat the system, there would be no need for cuts.

The second clue is the end result. The API endpoints return a JSON string, not an HTML page. What they show has clearly be altered to show what they wanted the viewer to see, not what it actually does.

The final clue is the API endpoint. That endpoint doesn't have anything to do with quizzes. It's actually a recurring call made to update the badge on the Inbox icon of the main menu to reflect a users new message count. If you look at the URL they show at the 0:17 mark, even with the horrendous quality of the video you can see that the endpoint is for `/api/v1/conversations/unread`, and not for anything relating to quizzes.

 

Looking into the original video, it appears to be some strange marketing campaign for an Apple-based tutoring app called Kadama, but I can't confirm that there's any actual relation.

View solution in original post

-Aki-
Community Member

Umm how do you cheat? Not for me, it's for research purposes.

View solution in original post

0 Kudos
cesbrandt
Community Champion
If you have to ask, you don't need to know.

Simply put, cheating a server-side system requires either exploiting a security loophole or having the permissions to do so.

The first is determined through intentional attempts to exploit the system to find vulnerabilities. This type of process requires extensive knowledge of how the system works before attempting to find a gap. These tend to get quickly reported and subsequently fixed. If you're looking for specifics on how to do this, you're not likely to find it on this community. It's an integrity concern that extends well beyond a single institution.

The second results from a misuse of authority by someone that already has access, whether intentional (they give permissions to someone they are good friends with) or not (they accidentally give permissions to someone because their name is similar to someone that was actually supposed to get the permissions). This is an auditing issue entirely on the institution to deal with.

View solution in original post

0 Kudos
7 Replies
cesbrandt
Community Champion

The answers to the quizzes cannot be found in the source code.

As for whether they were attempting to cheat or not, I couldn't tell you. It's highly unlikely that they would have encountered the source code as a result of lag, but it's also not entirely outside the realm of possibility. All I can tell you is that they can not get the answers from the source code.

If, by some odd chance, they have the permissions and knowledge, they could query the API for the answers, but that's highly unlikely. I would imagine that practically anyone with that level of knowledge and access wouldn't be a student, or would be knowledgeable enough not to bother with cheating.

View solution in original post

james_sanzin
Community Champion

Thanks. I'm trying to figure out why the source code was popping up and what exploits the students are going to try.

View solution in original post

As far as I'm aware, the Instructure network has been running fine the last couple of days. So, unless your school was having network trouble at the time, it's probable that the students were looking for the answers, but I can't say that is the case.

If you're concerned about intentional attempts at cheating, I'd recommend looking into monitoring systems that would allow an authorized user to view the screens of the computers in a designated classroom. Just be aware that such software would need to be identified as being in use by the institution, at least as part of the technology agreement (assuming you have a separate agreement specifically for technology). This is an important legal concern should you seek to pursue it. The students must be aware that their use of the computers can be monitored, in real time, without prior warning in an attempt to prevent cheating.

View solution in original post

cshore
Community Member

This TiKTok Video is claiming it can hack the answer key through the source code. Is his process legit?

https://www.youtube.com/watch?v=WatoompIRik

View solution in original post

0 Kudos
cesbrandt
Community Champion

No, that video is blatantly fake and is easily testable.

 

The first clue is the excessive amount of cuts in the video. If it were truly a walkthrough on how to cheat the system, there would be no need for cuts.

The second clue is the end result. The API endpoints return a JSON string, not an HTML page. What they show has clearly be altered to show what they wanted the viewer to see, not what it actually does.

The final clue is the API endpoint. That endpoint doesn't have anything to do with quizzes. It's actually a recurring call made to update the badge on the Inbox icon of the main menu to reflect a users new message count. If you look at the URL they show at the 0:17 mark, even with the horrendous quality of the video you can see that the endpoint is for `/api/v1/conversations/unread`, and not for anything relating to quizzes.

 

Looking into the original video, it appears to be some strange marketing campaign for an Apple-based tutoring app called Kadama, but I can't confirm that there's any actual relation.

View solution in original post

-Aki-
Community Member

Umm how do you cheat? Not for me, it's for research purposes.

View solution in original post

0 Kudos
cesbrandt
Community Champion
If you have to ask, you don't need to know.

Simply put, cheating a server-side system requires either exploiting a security loophole or having the permissions to do so.

The first is determined through intentional attempts to exploit the system to find vulnerabilities. This type of process requires extensive knowledge of how the system works before attempting to find a gap. These tend to get quickly reported and subsequently fixed. If you're looking for specifics on how to do this, you're not likely to find it on this community. It's an integrity concern that extends well beyond a single institution.

The second results from a misuse of authority by someone that already has access, whether intentional (they give permissions to someone they are good friends with) or not (they accidentally give permissions to someone because their name is similar to someone that was actually supposed to get the permissions). This is an auditing issue entirely on the institution to deal with.

View solution in original post

0 Kudos