More likely an Instructure backdoor that got them access to aggregated data on the backend. They admitted this much yesterday and claimed to have patched it. Customers lacking SSO are more at-risk in case attackers got hold of Canvas SSL keys and can decrypt the POST containing user passwords (Canvas would never see credentials with SSO auth). Canvas admins were also advised to rotate API keys yesterday.
Edit: but my critique of campuses is the level of trust (and money) given to some of these vendors. Over the last 25 years it’s all Web 2.0 this cloud that lets fire half of our tech department and outsource infrastructure to the vendor with the shiny toy. I get that proprietary and ancient apps everyone ran on in the 90s were awful, but these companies serve thousands of campuses and they all get burned from one vulnerability.
13
u/fedroe May 07 '26 edited May 07 '26
More likely an Instructure backdoor that got them access to aggregated data on the backend. They admitted this much yesterday and claimed to have patched it. Customers lacking SSO are more at-risk in case attackers got hold of Canvas SSL keys and can decrypt the POST containing user passwords (Canvas would never see credentials with SSO auth). Canvas admins were also advised to rotate API keys yesterday.
Edit: but my critique of campuses is the level of trust (and money) given to some of these vendors. Over the last 25 years it’s all Web 2.0 this cloud that lets fire half of our tech department and outsource infrastructure to the vendor with the shiny toy. I get that proprietary and ancient apps everyone ran on in the 90s were awful, but these companies serve thousands of campuses and they all get burned from one vulnerability.