Moodle Blog

Is your Moodle safe?

I’ve hacked into three Moodle sites this week… well, ok; no, not really; I got in perfectly legitimately: I just went to the Login page – created myself an account, clicked on the confirmation email and got free access to anywhere and everything on these Moodles. One is a secondary school not too many miles from me; the other two are primary schools. Worryingly, when I had logged into one primary school – in Skelmersdale – I gained immediate access to editing the front page… Naturally I owned up immediately to all three (once I had thoroughly investigated their content)email based self registration And fortunately for them, these are Moodles in their infancy with very few users and not a lot of content. However, it does highlight the importance of having someone knowledgeable and competent as Admin, and this is where those tempted to go the Moodle way can be dissuaded by the commercial companies who will argue that it is only they who are trustworthy enough to admistrate – and  charge schools thousands to do so. Not true; but it is vital that whoever has Admin rights within the school is aware of the different types of authentication. These three (and how many more?) were set -inadvertently methinks – to ’email based self authentication’ whereby anyone can get an account simply by filling in the form.  They should have set their authentication to ‘manual’ and only allow in those they wish. I’m a trustworthy CRB cleared educator – but who knows what could be offered to someone unscrupulous who chanced upon these school Moodles?  Even more of a concern: the Skelmersdale primary Moodle I got into is actually managed by a paid company who advertise themselves to schools. (Not a Moodle partner by the way) Here’s the link to Moodle docs – is your Moodle safe?

Dieser Beitrag wurde am Saturday, 24. May 2008 um 16:14 Uhr veröffentlicht und wurde unter der Kategorie Moodle abgelegt. Du kannst die Kommentare zu diesen Eintrag durch den RSS-Feed verfolgen. Du hast die Möglichkeit einen Kommentar zu hinterlassen, oder einen Trackback von deinem Weblog zu senden.

«  –  »

3 Comments »

  1. A really useful post, especially when the default setting on a new moodle is ‘email based self authentication.

    Off to check ours right now!

    Comment: Dave Stacey – 24. May 2008 @ 8:38 pm

  2. Good question. For more security concerns see this site I just ran across:

    http://www.moodleus.org/blog

    Comment: Moodle – 07. June 2008 @ 3:40 pm

  3. You bring up a good argument why organizations or institutions may wish to consider a hosted option where IT admin support is available. Yes, it’s true that self-run Moodle implementations are frequently vulnerable to outside attack. Maybe the reason it hasn’t already become pervasive is because of the low-value content to most hackers. Anyway, as they used to say on Hill Street Blues, “Let’s be careful out there!”

    Comment: moodle-experts – 20. December 2008 @ 12:35 am

Leave a comment

Pages

The Blog Posts

Search the blog

Meta

 

WP-Design: Vlad -- Powered by WordPress -- XHTML 1.0