Community Help

saustin · ‎06-04-2024

Good morning, in reviewing the tracking of page activity of a Canvas user, I have come across URLS using the notation roos. A partial example follows:

https://xxxxxxx.instructure.com/courses/xxxx/pages/roos/.....

Does anyone know what the roos is about?

It seems to be associated with the measurement of Internet connectivity.

Thank you so much for any insights you may have

--Sharon

James · ‎06-05-2024

I wouldn't expect roos to be part of Canvas. From the pages, it would have had to been a page called roos, not a file.

The speedtest.net extension isn't part of Proctorio, it's something installed in the browser and available from the toolbar. It's possible that it has a relative link that gets added to the end of whatever site you're on. The link you provided would have shown up if the student was on the Pages list and a relative URL was added to the end. It seems strange that the student would have done that many requests from the list of Pages -- even if the list of pages is available in your course (I have it disabled in all of mine).

The thing with extensions is that you can grant them permissions that are pretty invasive and can cause a slow-down themselves. For example, there are shopping extensions that take look at every page trying to find better prices for you. Extensions like those, ghostery, adblock, and others have been known to cause issues. Proctorio is another extension designed to keep make the browser secure by taking over control.

It is possible for a website to detect which extensions you have loaded, but . I've seen websites that tell me I have an adblocker loaded and to disable it if I want to continue using their site. I found a 2017 article on how sites can identify you by which extensions you have loaded that says one way they can try to detect ghostery or adblock is to attempt load their images. So, if roos/* is a path to an image from an extension -- and it appears that it is a path to an image -- then it might be some webpage trying to detect its presence. Another way is by trying to looking for modifications the extension makes to the DOM. For instance, if I try to load an image and it doesn't get loaded, there might be something blocking it.

Since Proctorio is designed to prevent access to other sites, it would be a prime candidate for trying to detect bad extensions, but I have no evidence that this is what's happening.

Still, an extension could modify the URL and if they didn't do it correctly, it could show up like what you're seeing.

As for detecting browser extensions, I found an article from 2019 that explains how to detect browser extensions. I didn't come across any recent data, so Chrome may have fixed the issue or I might not have been searching for the right thing.

In general, if a student is having any kind of problems, they should probably cut back on their extensions -- or remove any McAfee or Norton installations. When people are experiencing weird things on their computers, one of the first things we have them try is incognito mode (many extensions are not loaded in incognito mode) or a different browser.

View solution in original post

James · ‎06-04-2024

@saustin

I take it that this appears more than once. Are the urls that follow the roos valid?

I'm not familiar with "roos", but having anything between /pages/ and the url for the page would break the page router in Canvas. It would not take you anywhere.

roos does not appear anywhere in the Canvas open source anywhere.

I've seen web log entries that shouldn't be there. Any webserver routinely gets requests for pages with known vulnerabilities, even though they don't appear on the server. Someone is probing to find an exploit.

If this is tied to a student (and not just a random page from the weblogs), is there other evidence that the student's account has been hacked? Perhaps the student was trying to automate something and had a bug in their program? Maybe the student was doing something else and randomly inserted roos in there (my laptop routinely jumps me to a place I wasn't at and then I finish typing before I realize it, although getting an extra slash in there would be difficult to explain).

Is it possible that the bad link is contained within a page or assignment within Canvas? Can you identify where the student was before that link showed up and then see if that page has a bad link on it?

What was the http status code for those requests?

SharonAustinE · ‎06-05-2024

Good afternoon James, thank you for your prompt and detailed feedback. Now that I have had a little sleep, I can provide context. A student had sent in a ticket to our help desk claiming that Canvas/Proctorio were acting slow, and delayed in providing pages to him while he took a test. He claimed that Internet speed was fast, and he should not be having problems with a slow Canvas/Proctorio test. Investigating, I saw that the student had three browsers (and two devices) up simultaneously. In light of the fact that the student had up so many windows, was on Proctorio, was probably in a common room with other students also seeking bandwidth, the hiccups and delays the student was experiencing was not surprising. It was in the context of investigating the student's technology at the time of the test that I came across these web addresses with the "roos". With a little further investigation this morning, I saw that the "roos" are a source folder for .svg images that indicated Internet speed.

So, the repeated appearance of these URLs now makes sense, in light of the student's concerns about Internet speed.

I take it that this appears more than once.

Yes, multiple times.

Are the urls that follow the roos valid?

Yes, they are valid URLs for images. Last night, when I looked at the URLs, they were an address of an .svg file. When I clicked on it, the graphic downloaded. Last night I was on a Mac laptop. Today, on a hardwired PC when I click on the same links I get an invalid page response by Canvas. At the end of the day, these are addresses of images. Here is a fuller look at one of the examples.

https://xxxxx.instructure.com/courses/xxxxx/roos/2/1/105/assets/icons/new-connection-average.svg

I'm not familiar with "roos", but having anything between /pages/ and the url for the page would break the page router in Canvas. It would not take you anywhere.

You were correct

roos does not appear anywhere in the Canvas open source anywhere.

I've seen web log entries that shouldn't be there. Any webserver routinely gets requests for pages with known vulnerabilities, even though they don't appear on the server. Someone is probing to find an exploit.

If this is tied to a student (and not just a random page from the weblogs), is there other evidence that the student's account has been hacked?

No other evidence at this time, and I think the student was just trying to check the speed of his Internet connection. A browser-based Security check said that the page was secure. (I've attached a partial screenshot)

Perhaps the student was trying to automate something and had a bug in their program? Maybe the student was doing something else and randomly inserted roos in there (my laptop routinely jumps me to a place I wasn't at and then I finish typing before I realize it, although getting an extra slash in there would be difficult to explain).

I don't think so. From the context of his worries, I think he was simply trying to get Canvas to deliver his test more quickly. One of the pages he had open was his grades page at the time. Repeated checks of the Internet speed and having his grades page open, as well as, contacting the teacher that he was worried about being able to finish his test in order to get a good grade all point to me, at least, as someone busy trying to get Canvas/Proctorio to work faster for him, so that his grade would not suffer.

Is it possible that the bad link is contained within a page or assignment within Canvas?

I went to the files section of the course, and could find no folder "roos". When doing a search for the files, I did a generic search for .svg, and came up only with one "getstarted-here.svg" .svg. I did not find the .svg's that were the speed indicators of Internet speed in the course itself.

Can you identify where the student was before that link showed up and then see if that page has a bad link on it?

An external tool that was visited right before the "roos" folder URL showed up was an external link to Proctorio. Apparently, one can add a "Speed Test" extension to test Internet speed. with the following example:

"Add the “speed test” extension to test your internet speed." https://support.aktiv.com/s/article/Proctorio-System-Requirements

Question:

Are you aware of a way I can track whether such an extension has been added to the student's Proctorio?

What was the http status code for those requests?

A 404 error, I have attached a screenshot. (Presented as one of those generic "Page Not Found" pages from Canvas.)

James, thank you so much for all the great questions. I would not have looked at it as fully without the questions you presented.

Warmest regards,

Sharon Austin

James · ‎06-05-2024