|
|
|
At the New Zealand Moodle Moot, Martin demonstrated a way to publish grades using a special URL which contains a secret key encoded in it. Giving the URL to other people gives them access to the grades.
Since grades are quite sensitive, it becomes a security problem when they are exposed accidently to third parties.
Here are two scenarios where this URL could become public:
1- The user bookmarks it and is using a community bookmarking system like del.icio.us Other users of that system may now find it, but Google can also index it.
2- Windows users sometime have "download accelerators" which report to a central server what URLs people are downloading. There have been cases where these URLs are then shared with the public, for example in "top 10" lists or "current downloads".
Therefore, I think the potential for users unknowingly sharing their grades is real.
One way, this could be mitigated is to split this into two pieces of information:
- a secret key
- a page where the user goes and where they need to enter the secret key and press submit.
|
|
Description
|
At the New Zealand Moodle Moot, Martin demonstrated a way to publish grades using a special URL which contains a secret key encoded in it. Giving the URL to other people gives them access to the grades.
Since grades are quite sensitive, it becomes a security problem when they are exposed accidently to third parties.
Here are two scenarios where this URL could become public:
1- The user bookmarks it and is using a community bookmarking system like del.icio.us Other users of that system may now find it, but Google can also index it.
2- Windows users sometime have "download accelerators" which report to a central server what URLs people are downloading. There have been cases where these URLs are then shared with the public, for example in "top 10" lists or "current downloads".
Therefore, I think the potential for users unknowingly sharing their grades is real.
One way, this could be mitigated is to split this into two pieces of information:
- a secret key
- a page where the user goes and where they need to enter the secret key and press submit. |
Show » |
made changes - 27/Sep/07 10:04 AM
| Field |
Original Value |
New Value |
|
Assignee
|
Yu Zhang
[ lazyfish
]
|
Petr Skoda
[ skodak
]
|
made changes - 27/Sep/07 03:10 PM
|
Security
|
Possible security issue
[ 10002
]
|
|
made changes - 27/Sep/07 04:51 PM
|
Status
|
Open
[ 1
]
|
Resolved
[ 5
]
|
|
Fix Version/s
|
|
1.9
[ 10190
]
|
|
Resolution
|
|
Fixed
[ 1
]
|
|
Bug
Resolved
Minor
Exporting grades with a key may accidently publish the URL
