cancel
Showing results for 
Search instead for 
Did you mean: 
irishb
Explorer II

Are your students able to hack a hidden People page?

Jump to solution

We just discovered that at least one student has been using a hack to access a hidden People page

(meaning the People navigation link is disabled/hidden from students in the Course Navigation Menu).

The hack is adding "/users" at the end of the site's URL. This hack works via Student View as well.

The student gaining access can see other students’ names at the hidden People page
but not other students' college usernames or ID numbers.

From testing in both Student View and masquerading as an active student,
the hack does not appear to work with other hidden navigation areas,

such as /pages, /files, or /quizzes.

When tried, each resulted in a message "That page has been disabled for this course."

I have submitted a ticket with Canvas Support, Case 02367946,
and wanted to alert other schools about this issue in the meantime.

Thank you,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

1 Solution

Accepted Solutions
kblack
Community Member

Thank you, Bridget--yes it does! As one who has set up several non-course-related Canvas sites myself, I should have thought of some of those.  We allow students to change their display names, as well, but I'm glad I followed this discussion, because it has pointed out some interesting issues.

Best regards,

Ken

View solution in original post

19 Replies
akkaufmann
Learner II

Hi irishb

According to the guide: How do I reorder and hide Course Navigation links? 

All of the links fall under three different categories when hidden:

Disabling a course navigation link creates the following redirects:

  • Hidden only (cannot be disabled): Discussions, Grades, and People
  • Page disabled; redirected to home page: Announcements, Assignments, Conferences, Collaborations, Files, Modules, Outcomes, Quizzes, pages, Syllabus
  • Page disabled; won't appear in navigation: Any LTI links, such as Attendance, Chat, and SCORM

Along with People, the Grades and Discussions pages cannot be disabled, only hidden. So a student can access these pages if they know the URL.

From my understanding, it has to do with how the API works and ensuring that the data associated with these pages is accessible on other pages, i.e. Grades needs to stay enabled to still allow a student to view their grade on a specific assignment on that assignment's page.

Alex

Thank you, Alex.

I think Canvas should add further clarifying information to the guide that users have the ability to still access the "cannot be disabled" pages/areas and that permissions would need to be changed at the Account and or Sub-Account level. 

irishb
Explorer II

Here's the scoop from Canvas Support:

"After investigating, the People tab cannot be disabled only hidden. If you don't want the students to be able to see who is the course.I suggest your change permissions. You will need to uncheck the "See the list of users" from the student tab. I hope this helps."

It helps to know how it is possible for students/users to access a hidden People page.

We're thinking of turning off the student permission to "See the list of users" at the Account-level

and creating a sub-account with the permission enabled that we can move courses into

for any faculty who would like their students to be able to access the People page.

Hope this information and thread may be of help to others. : )

Best wishes,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College

kona
Community Coach
Community Coach

irishb, I'm not sure of the reasoning behind wanting to keep this hidden from the students, but unless you've shut this down as well, students can also see the list of who is in their course from the Inbox.

You're right about seeing classmates' names in Conversations,  @kona ‌ - although there is one difference between People and Inbox, and that is that Inbox shows display names whereas People does not.  (Which is rather strange since if you click on the student's name in People, the details page shows the display name.)  This is a problem with display names which I wish would be fixed.

One wishes there could be course-level user permission overrides.  That would be a lot of work to implement, though.

Hi Kona,

Thank you for your question and noting the behavior of name availability via the Canvas Inbox/Conversations. 

As  @Nancy_Webb_CCSF  points out, this isn't so much an issue for our college because the Inbox shows students' Display names, rather than registered names which may be very different from their preferred names.

So, that's the main reason many of our faculty have wanted/needed to keep the People page hidden is because it does not accommodate Display names, which can cause issues around Preferred Names versus Registered Names.

BUT - I just learned today that thanks to our school's IT wizards Preferred Names are now feeding into our Canvas instance! And it is an easy process via Registration for a student to use a Preferred Name for their college account.

The case in which we still want to hide the People page is to avoid FERPA issues - this is with our student orientation and housing training sites which contain hundreds of students who are not in the same classes or programs together.

For these sites, I changed the user permissions for the Student role via the sub-account that contains the courses to prevent any hacking by savvy students ; ) and moved other sites that are using the People page into a sub-sub-account under the main sub-account which allows those in the Student role to "See the list of users."

If anyone has any questions about or would like help with this kind of setup, just let me know. : )

Best wishes,

Bridget

Curricular Technology Support | Canvas Admin
The Evergreen State College

kblack
Community Member

I totally agree with  @kona ‌ on this, irishb‌ (as I often do!). Are you concerned about FERPA issues?  While there is separate ongoing discussion of FERPA violations with courses that get cross-listed, I cannot see students seeing the People area is anything like a FERPA violation, given that even student email addresses cannot even be directly seen from there. 

Luckily People is now very good with section-only option chosen for the students,  @kblack ‌ so FERPA might not be a problem for cross-listed courses on this issue.  And Inbox is also aware of this setting.

Hi Ken,

Thank you for your question.

For our curricular sites the issue was not FERPA but Display name/Preferred Name versus registration name, but that has just recently changed and is an exciting improvement for the student experience.

The case in which we do still need to hide/block the People page to avoid FERPA issues is with our student orientation and housing training sites which contain hundreds of students who are not in the same classes or programs together, along with the consideration of any students who may have requested confidentiality.

 

I hope that has answered your question.

Best wishes,

Bridget Irish

Curricular Technology Support | Canvas Admin
The Evergreen State College