Canvas Assignment External Tool Security Concern

mmuslimmunir
Community Novice

Hi,

I am adding LTI integration support in an application i am working on and i was planning to force login user by taking the email address passed in the payload when assignment is loaded so the application can collect some stats and keep track of the assignment progress for the specific user and then submit the grades back to canvas. Auto login part is to make the flow seamless and user friendly. When testing this feature it raised a security concern because the session for the loaded LTI assignment and my standalone application is shared so the auto login feature would mean that the user is logged in on my standalone application as well. I made the test course public and accessed it through another account that i created for canvas and the course and assignment were being assessed and there was no parameter in the payload that would indicate if the user had verified the account or not. So this leads to a potential vulnerability where the user for my application can be impersonated by creating an account on canvas just by using the email and accessing the assignment. Is there a best practice for this or something that canvas provides through which i can implement it in a more secure way or can it be made so that user cannot get access to a course content if he has not verified the email address. 

0 Likes