cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Surveyor II

Security/permissions problem: Why does the STUDENT app allow you (test-student) to edit quizzes??

Jump to solution
I found a security hole in Canvas that seems to have them stumped, and I'm wondering if anyone else has seen this, given how much more we're all relying on our campus LMS now for virtual classes:

Canvas has two apps for the smartphone, one for teachers and one for students. (You can see what the student sees by clicking the bottom button on the teacher app called "Student View", which automatically opens the student app.

When you view your own course as this "test-student" in the student app, go to one of your quizzes and click "Take Quiz." Instead of seeing the quiz as a student would see it, the app gives the test-student options to edit and even unpublish your quiz!

This doesn't happen on the Chrome browser version of Canvas. And the test-student role doesn't let you edit any other part of of your course, except for the quizzes; so this seems to be a glitch in the app.

It could be that this is a problem with only the test-student and doesn't affect real students. But since no one seems to know why this is happening—neither Canvas nor my school—they can't confidently say that there won't be a similar glitch with an actual student.  

Anyone else experience this problem??  I'm using the iOS apps, and I'd be curious if this also happens with the Android apps...
 
Should teachers plan to use a different app or LMS to run quizzes, if this security hole is unexplained and possibly broader?
 
For any Canvas employees reading this—since your helpdesk hasn't followed up yet with a diagnosis—you can see my chat history as well as phone screen recording that shows the problem in case #06154385, started on Aug 12, 2020. 
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Instructure
Instructure

This is a bug with Student View, not a security hole for real students.

Student View is tricky business because what it is is the Teacher "acting" as a student. All of the requests being made are as the teacher but they include an "as_user_id" param. What can happen is sometimes some views might not be looking at the "as_user_id" param and are only looking at the token for the user making the request.

Which, in some ways, makes this the opposite of a security hole because we are treating the request as a teacher, not a student.

So keep in mind that Student View is very different than logging in as a student. As you pointed out, there are bugs but they are not security holes.

Also, find comfort in the fact that the mobile apps use the public API. The apps in-and-of-themselves are not capable of causing security holes such as this.

Thank you for the bug report, I will follow-up with support and make sure we take a look at it.

 

Nate

Mobile Engineer

View solution in original post

5 Replies
Highlighted
Surveyor II

Looking through this Question Forum again, I'm now seeing posts about students being able to do things in Canvas' student app that they should not have access to—not the same problem I described, but other issues.  It would be very troubling if there were security holes in the apps, which could compromise a course no matter how well designed it is.  

To reduce that risk, is there a way to disable student access to your course on the Canvas mobile apps?

0 Kudos
Highlighted
Community Coach
Community Coach

Hi @patricklin - 

That's a really interesting observation! I don't think that's intentional, but I think you can be assured that students cannot edit a quiz. I just tried this with a quiz and then using the "Act as User" feature to become a student in a course (which is different than the Student View). When I did that, I only saw "Take the Quiz" big button underneath the instructions.

I teach at a school with 1:1 iPads, and we've used Canvas (many of my colleagues use Quizzes too) without any loopholes discovered/used by students. 

When you hear from Canvas Support, please share! I'm curious to what they tell you!

0 Kudos
Highlighted

Hi @klundstrum -

Did you click on "Take the Quiz"?  You need to do that step to get to the editing page.

Or would you mind trying this?:  When you Act as User, could you give yourself the role of the teacher (as opposed to student), then go to the teacher's mobile app, click on Student View, and take a quiz as a test-student?

On your iPads, are you using the mobile iOS app, or the browser version on Canvas?  As far as I can tell, this is a problem only with the mobile app, but I haven't tried Android apps or non-Chrome browsers.

Right, I'm sure it was unintentional, but now I'm wondering what else is unintentional.  Students getting unauthorized access to exams is one of the worst things that can happen with an LMS...!

Will report back here if Canvas responds with anything interesting.  The IT folks at my school were able to replicate the problem, so I know it's not just an issue on my end.  I have the latest apps too, downloaded earlier this week...hmm, so weird... 

0 Kudos
Highlighted
Instructure
Instructure

This is a bug with Student View, not a security hole for real students.

Student View is tricky business because what it is is the Teacher "acting" as a student. All of the requests being made are as the teacher but they include an "as_user_id" param. What can happen is sometimes some views might not be looking at the "as_user_id" param and are only looking at the token for the user making the request.

Which, in some ways, makes this the opposite of a security hole because we are treating the request as a teacher, not a student.

So keep in mind that Student View is very different than logging in as a student. As you pointed out, there are bugs but they are not security holes.

Also, find comfort in the fact that the mobile apps use the public API. The apps in-and-of-themselves are not capable of causing security holes such as this.

Thank you for the bug report, I will follow-up with support and make sure we take a look at it.

 

Nate

Mobile Engineer

View solution in original post

Highlighted

Thanks, @narmstrong, this should clear it up for now.  I was worried since I'm new to Canvas, and no one could explain the problem.  Canvas' support team never followed up to even confirm if they were able to replicate the problem.

And I guess I should have gone through your Bug Bounty Program.  Donate that money to a good cause! 😉

0 Kudos
Labels