2016-06-01 Instructure Advisory IAC17708 - Developer Key Privilege Escalation



Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2016-06-01
  Description:Developer Key Privilege Escalation
  Criticality Level:Very High
  Impact:Potential manipulation of developer keys / Identity forgery
  Systems Affected:Potential impact includes all developer keys issued within an instance of Canvas
  Solution Status:Closed/Resolved
  Discovered By:Cody Cutrer
  Relevant Changesets:

fix permission check of updating developer keys · instructure/canvas-lms@24c57dc · GitHub


In October of 2015,  a code change which allowed an account admin to manage developer keys generated within their own instance of Canvas was introduced   into the codebase. It was recently discovered during a routine review of the code that the permission checks had weak scope boundaries, so an admin with       permissions to modify developer keys in their own instance/account, were inadvertently able to modify any developer key within the system.

For users of the open source version of Canvas, the vulnerability surface area is much smaller since there's only one root account, and typically the root account admins are also site admins, which would have permissions to alter developer keys.


The Instructure engineering team has developed, tested, and promoted a hotfix to the production Canvas platform. They have also updated the Canvas open source git repository with a security patch prior to the release of this bulletin.