Think your Course Files are safe? Think again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
First off, the title is a bit cheeky. I guess I'm just miffed by the obvious flaw I have discovered. It may also be the irritation at my own naivete bleeding through a bit. :]
Regardless, I found what I think is a pretty serious vulnerability in the Course Files structure.
I set up my course so that the students don't have access to the Files page. I've tested this multiple times, and there are no loopholes -- you can't get to the Files page as a student when it is disabled. In my naivete, I thought that this meant I could upload exam files beforehand so that I'm not scrambling at the last moment trying to upload and post them right on time. I figure, why not upload them early? Even though a little voice deep inside was extremely leery of such a risky venture, a couple of days ago I finished writing the final exam for one of my classes, and, as an act of finality, uploaded it to the course Files so that I could completely scratch that item off my to-do list. Yikes.
This afternoon, after finishing a bunch of grading, I decided to triple check all the details for the final exam. I checked the linked equations and constants pdf file and I checked the periodic table pdf file. Both downloaded just fine, but I noticed something. They each had a specific URL associated with them that linked to the file within the Course Files page. That's fine, I want the students to be able to download these files ahead of time. However, I also noticed that each file is identified by a number, and each of the files I had downloaded had ID numbers that had only 3 digits of difference at the end of the ID number.
For example, file 1 had a url of
"https://uni.instructure.com/courses/courseNumber/files/3111223010/download?wrap=1"
and file 2 had a url of
"https://uni.instructure.com/courses/courseNumber/files/3111223214/download?wrap=1"
(edited from the original for obvious reasons).
I then thought to myself: "I wonder if I could download the final exam file by guessing the last 3 digits of the final exam file while logged in as a student?" I tried this, and succeeded. Rather quickly, actually.
The url for the final exam was
"https://uni.instructure.com/courses/courseNumber/files/3111223244/download?wrap=1".
Maybe someone has a solution to this problem, or a way to block download for specific files? In any case, I removed my final exam file and I learned a lesson.
tl;dr An industrious and determined student can download any file from your course Files page (even if you have it disabled!) by simply guessing the file ID extension.