Entrar
Reported a Broken Access Control bug to Instructure via bugcrowd 11 months ago, and also sent directly to canvas and instructure since I didn’t really care about the bounty. It was deemed "not applicable".
Could show a ton of screenshots but this one sums it up https://imgur.com/gallery/canvas-vuln-declared-n-11-months-ago-zYfHnBs
It showed enough PII from everyone in my course that it would have been cake to privilege escalate through even the most rudimentary social engineering.
Here's another screenshot with email replies (two months later) saying insturcture had no control over bootcampspot.instructure.com :: https://imgur.com/a/BnhgXme
[link] [comments]
