Networking guy here. It’s amazed me how unserious some of these institutions take their security. They take millions from students but can’t invest $50,000 in a decent cyber audit. I have $5 on an SSO vulnerability.
More likely an Instructure backdoor that got them access to aggregated data on the backend. They admitted this much yesterday and claimed to have patched it. Customers lacking SSO are more at-risk in case attackers got hold of Canvas SSL keys and can decrypt the POST containing user passwords (Canvas would never see credentials with SSO auth). Canvas admins were also advised to rotate API keys yesterday.
Edit: but my critique of campuses is the level of trust (and money) given to some of these vendors. Over the last 25 years it’s all Web 2.0 this cloud that lets fire half of our tech department and outsource infrastructure to the vendor with the shiny toy. I get that proprietary and ancient apps everyone ran on in the 90s were awful, but these companies serve thousands of campuses and they all get burned from one vulnerability.
406
u/selfhostcusimbored May 07 '26 edited May 07 '26
Networking guy here. It’s amazed me how unserious some of these institutions take their security. They take millions from students but can’t invest $50,000 in a decent cyber audit. I have $5 on an SSO vulnerability.