cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Member

Think your Course Files are safe? Think again.

Hi everyone,

First off, the title is a bit cheeky. I guess I'm just miffed by the obvious flaw I have discovered. It may also be the irritation at my own naivete bleeding through a bit. :]

Regardless, I found what I think is a pretty serious vulnerability in the Course Files structure.

I set up my course so that the students don't have access to the Files page. I've tested this multiple times, and there are no loopholes -- you can't get to the Files page as a student when it is disabled. In my naivete, I thought that this meant I could upload exam files beforehand so that I'm not scrambling at the last moment trying to upload and post them right on time. I figure, why not upload them early? Even though a little voice deep inside was extremely leery of such a risky venture, a couple of days ago I finished writing the final exam for one of my classes, and, as an act of finality, uploaded it to the course Files so that I could completely scratch that item off my to-do list. Yikes. 

This afternoon, after finishing a bunch of grading, I decided to triple check all the details for the final exam. I checked the linked equations and constants pdf file and I checked the periodic table pdf file. Both downloaded just fine, but I noticed something. They each had a specific URL associated with them that linked to the file within the Course Files page. That's fine, I want the students to be able to download these files ahead of time. However, I also noticed that each file is identified by a number, and each of the files I had downloaded had ID numbers that had only 3 digits of difference at the end of the ID number.

For example, file 1 had a url of

"https://uni.instructure.com/courses/courseNumber/files/3111223010/download?wrap=1"

and file 2 had a url of 

"https://uni.instructure.com/courses/courseNumber/files/3111223214/download?wrap=1"

(edited from the original for obvious reasons).

I then thought to myself: "I wonder if I could download the final exam file by guessing the last 3 digits of the final exam file while logged in as a student?" I tried this, and succeeded. Rather quickly, actually.

The url for the final exam was

"https://uni.instructure.com/courses/courseNumber/files/3111223244/download?wrap=1".

Maybe someone has a solution to this problem, or a way to block download for specific files? In any case, I removed my final exam file and I learned a lesson.

tl;dr An industrious and determined student can download any file from your course Files page (even if you have it disabled!) by simply guessing the file ID extension.

3 Replies
Highlighted
Surveyor

Matthew -

Thanks for posting this information. 

I had the same concerns, but for some reason I never looked into it.  I knew that if you had the files setup for access by link only, that any student could access that file once they had the link.  I have thought about the fact that the numbering made some things easier - i.e moving a file from one directory to another does not break the link in your course.  I would always prefer a name for the file to be the access instead of the number format.   It will be interesting to see what some of the more Canvas knowledgeable people have to say about this matter.

Ron

Highlighted

Ron,

You're right, a name ID would solve the problem and also allow for the links to continue working. Good point!

-- Matt

Highlighted
Navigator

That security model does make files available to students in your course, but there are other models available if that one doesn't work for you.

Before I get into that, I want to clarify a statement about the last three digits. The ID is generally a sequential number for all files across all Canvas instances, perhaps within a shard. If yours are within 204 of each other, it's because they were uploaded relatively close to each other or you hit it at a slow point. It's not that files for a certain course only vary in the last three digits. In some cases, and files that are uploaded at the same time often have IDs that are sequential, which makes it even easier to guess once you know one of them.

Setting aside the files that are uploaded at the same time, most of them would be at another institution (assuming you're not self-hosted) or in another course where the student would not have access to them. Having the link or the ID isn't sufficient if you don't have permission to view the file. If file ID 12345 is in course B, but a student from course A tries to access it, they get a Access Denied message.

A student could go through and try random numbers and download every file linked this way provided that they were logged into Canvas. Then there would be tracking of that going on by the user's ID. You would also be able to go into the access report and see who had accessed the files. That doesn't keep your final exam safe, but at least it provides evidence.

One thing you can do is schedule the release of the file (based on date and time) until right before students are able to access it. Make sure the Files navigation is not available to the student, and then link to the exam or the files. When the Files navigation menu is disabled students can not get a list of files in the course, they get a 401 Unauthorized error on the API call. It wouldn't be available until a particular date and time and at that point, students could start guessing file IDs.

The scheduling is nice for people who want to set it and forget it instead of having to remember to go in at the last minute and upload the file or stay up until midnight when the exam becomes available. If you reuse the course, you'll need to reset the availability dates.