Moodle

Exporting grades with a key may accidently publish the URL

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9
  • Fix Version/s: 1.9
  • Component/s: Gradebook
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE

Description

At the New Zealand Moodle Moot, Martin demonstrated a way to publish grades using a special URL which contains a secret key encoded in it. Giving the URL to other people gives them access to the grades.

Since grades are quite sensitive, it becomes a security problem when they are exposed accidently to third parties.

Here are two scenarios where this URL could become public:

1- The user bookmarks it and is using a community bookmarking system like del.icio.us Other users of that system may now find it, but Google can also index it.

2- Windows users sometime have "download accelerators" which report to a central server what URLs people are downloading. There have been cases where these URLs are then shared with the public, for example in "top 10" lists or "current downloads".

Therefore, I think the potential for users unknowingly sharing their grades is real.

One way, this could be mitigated is to split this into two pieces of information:

  • a secret key
  • a page where the user goes and where they need to enter the secret key and press submit.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Martin Dougiamas added a comment -

I don't think we can change the URL but we should definitely have more warnings there to alert people of the security implications if they bookmark it, use download accelerators etc

Show
Martin Dougiamas added a comment - I don't think we can change the URL but we should definitely have more warnings there to alert people of the security implications if they bookmark it, use download accelerators etc
Hide
Permalink
Petr Škoda (skodak) added a comment -

Hello:

  • The keys are not visible by default on that form
  • the keys may be disabled completely by configuration option
  • there is an IP restriction for each key
  • the date field limits the usability of the key
  • keys are defined per course/user only - key can be used to get access to grades of that course only

I would recommend to not use the keys if security is a problem.

On the other hand we might add special capability for creating of grade import/export keys, so that admins have a way to limit who can use this feature and not just turn it off for everybody.

Show
Petr Škoda (skodak) added a comment - Hello:
  • The keys are not visible by default on that form
  • the keys may be disabled completely by configuration option
  • there is an IP restriction for each key
  • the date field limits the usability of the key
  • keys are defined per course/user only - key can be used to get access to grades of that course only
I would recommend to not use the keys if security is a problem. On the other hand we might add special capability for creating of grade import/export keys, so that admins have a way to limit who can use this feature and not just turn it off for everybody.
Hide
Permalink
Petr Škoda (skodak) added a comment -

I have added:

  • new permissions to control the publishing - admin by default only
  • default iprestriction and 7 days validity - just in case somebody just clicks to create a new key
Show
Petr Škoda (skodak) added a comment - I have added:
  • new permissions to control the publishing - admin by default only
  • default iprestriction and 7 days validity - just in case somebody just clicks to create a new key
Hide
Permalink
Petr Škoda (skodak) added a comment -

Clearing the security flag so that anybody can read this issue - I hope somebody will write a good help page soon, the main emphasis should be IMO on ip restrictions.

Show
Petr Škoda (skodak) added a comment - Clearing the security flag so that anybody can read this issue - I hope somebody will write a good help page soon, the main emphasis should be IMO on ip restrictions.
Hide
Permalink
Petr Škoda (skodak) added a comment -

closing, the ip restriction prevents against this problem, the default settings should not encourage bad practices.
thanks very much for the valuable input!

please reopen if needed

Show
Petr Škoda (skodak) added a comment - closing, the ip restriction prevents against this problem, the default settings should not encourage bad practices. thanks very much for the valuable input! please reopen if needed

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.