Moodle
  1. Moodle
  2. MDL-11451

Exporting grades with a key may accidently publish the URL

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9
    • Fix Version/s: 1.9
    • Component/s: Gradebook
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      28524

      Description

      At the New Zealand Moodle Moot, Martin demonstrated a way to publish grades using a special URL which contains a secret key encoded in it. Giving the URL to other people gives them access to the grades.

      Since grades are quite sensitive, it becomes a security problem when they are exposed accidently to third parties.

      Here are two scenarios where this URL could become public:

      1- The user bookmarks it and is using a community bookmarking system like del.icio.us Other users of that system may now find it, but Google can also index it.

      2- Windows users sometime have "download accelerators" which report to a central server what URLs people are downloading. There have been cases where these URLs are then shared with the public, for example in "top 10" lists or "current downloads".

      Therefore, I think the potential for users unknowingly sharing their grades is real.

      One way, this could be mitigated is to split this into two pieces of information:

      • a secret key
      • a page where the user goes and where they need to enter the secret key and press submit.

        Activity

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: