Think your Course Files are safe? Think again.

mattmcdon87
Community Novice

Hi everyone,

First off, the title is a bit cheeky. I guess I'm just miffed by the obvious flaw I have discovered. It may also be the irritation at my own naivete bleeding through a bit. :]

Regardless, I found what I think is a pretty serious vulnerability in the Course Files structure.

I set up my course so that the students don't have access to the Files page. I've tested this multiple times, and there are no loopholes -- you can't get to the Files page as a student when it is disabled. In my naivete, I thought that this meant I could upload exam files beforehand so that I'm not scrambling at the last moment trying to upload and post them right on time. I figure, why not upload them early? Even though a little voice deep inside was extremely leery of such a risky venture, a couple of days ago I finished writing the final exam for one of my classes, and, as an act of finality, uploaded it to the course Files so that I could completely scratch that item off my to-do list. Yikes. 

This afternoon, after finishing a bunch of grading, I decided to triple check all the details for the final exam. I checked the linked equations and constants pdf file and I checked the periodic table pdf file. Both downloaded just fine, but I noticed something. They each had a specific URL associated with them that linked to the file within the Course Files page. That's fine, I want the students to be able to download these files ahead of time. However, I also noticed that each file is identified by a number, and each of the files I had downloaded had ID numbers that had only 3 digits of difference at the end of the ID number.

For example, file 1 had a url of

"https://uni.instructure.com/courses/courseNumber/files/3111223010/download?wrap=1"

and file 2 had a url of 

"https://uni.instructure.com/courses/courseNumber/files/3111223214/download?wrap=1"

(edited from the original for obvious reasons).

I then thought to myself: "I wonder if I could download the final exam file by guessing the last 3 digits of the final exam file while logged in as a student?" I tried this, and succeeded. Rather quickly, actually.

The url for the final exam was

"https://uni.instructure.com/courses/courseNumber/files/3111223244/download?wrap=1".

Maybe someone has a solution to this problem, or a way to block download for specific files? In any case, I removed my final exam file and I learned a lesson.

tl;dr An industrious and determined student can download any file from your course Files page (even if you have it disabled!) by simply guessing the file ID extension.