Disclosure of Sensitive Information in the Virtual Learning Environment Moodle

  • Víctor Gayoso Martínez
  • Luis Hernández Encinas
  • Ascensión Hernández Encinas
  • Araceli Queiruga Dios
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 239)


In recent years, the use of Virtual Learning Environments (VLEs) has greatly increased. Due to the requirements stated by the Bologna process, many European universities are changing their education systems to new ones based on information and communication technologies. The use of web environments makes their security an important issue, which must be taken into full consideration. Services or assets of the e-learning systems must be protected from any threats to guarantee the confidentiality of users’ data. In this contribution, we provide an initial overview of the most important attacks and countermeasures in Moodle, one of the most widely used VLEs, and then we focus on a type of attack that allows illegitimate users to obtain the username and password of other users when making a course backup in specific versions of Moodle. In order to illustrate this information we provide the details of a real attack in a Moodle 1.9.2 installation.


Cryptography Learning Environment Moodle Secure Communications Web Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    EHEA: European Higher Education Area website 2010–2020 (2010),
  2. 2.
    González, J., Jover, L., Cobo, E., Muño, P.: A web-based learning tool improves student performance in statistics: A randomized masked trial. Computers & Education 55(2), 704–713 (2010)CrossRefGoogle Scholar
  3. 3.
    McCray, G.: The hybrid course, merging on-line instruction and the traditional classroom. Inform. Tech. Managem. 1(4), 307–327 (2000)CrossRefGoogle Scholar
  4. 4.
    Prendes Espinosa, M.: Plataformas de campus virtual de software libre. Análisis comparativo de la situación actual en las universidades españolas (2009)Google Scholar
  5. 5.
    Moodle:, About (2012),
  6. 6.
    Moodle:, Moodle Statistics (2012),
  7. 7.
    Gutiérrez, E., Trenas, M., Ramos, J., Corbera, F., Romero, S.: A new Moodle module supporting automatic verification of VHDL-based assignments. Computers & Education 54(2), 562–577 (2010)CrossRefGoogle Scholar
  8. 8.
    Luminita, D.: Information security in e-learning platforms. Procedia-Social and Behavioral Sciences 15(15), 2689–2693 (2011)CrossRefGoogle Scholar
  9. 9.
    Zamzuri, Z.F., Manaf, M., Ahmad, A., Yunus, Y.: Computer security threats towards the e-learning system assets. In: Zain, J.M., Wan Mohd, W.M.B., El-Qawasmeh, E. (eds.) ICSECS 2011, Part II. CCIS, vol. 180, pp. 335–345. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Nickolova, M., Nickolov, E.: Threat model for user security in e-learning systems. Int. J. Inform. Tech. Knowledge 1, 341–347 (2007)Google Scholar
  11. 11.
    Bradbury, D.: The dangers of badly formed websites. Computer Fraud & Security, 12–14 (January 2012)Google Scholar
  12. 12.
    Scholte, T., Balzarotti, D., Kirda, E.: Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers & Security 31(3), 344–356 (2012)CrossRefGoogle Scholar
  13. 13.
    Diaz, J., Arroyo, D., Rodriguez, F.B.: An approach for adapting Moodle into a secure infrastructure. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 214–221. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Kumar, S., Dutta, K.: Investigation on security in LMS Moodle. Int. J. Inform. Tech. Knowledge Managem. 4(1), 233–238 (2011)Google Scholar
  15. 15.
    Moodle:, Open-source community-based tools for learning (2012),
  16. 16.
    Stapic, Z., Orehovacki, T., Danic, M.: Determination of optimal security settings for LMS Moodle. In: 31st MIPRO International Convention on Information Systems Security, pp. 84–89 (2008)Google Scholar
  17. 17.
    Miletić, D.: Moodle Security. Packt Publishing, Birmingham (2011)Google Scholar
  18. 18.
    NIST: Guide to General Server Security. National Institute of Standard and Technology, SP 800-123 (2008)Google Scholar
  19. 19.
    Dagon, D., Lee, W., Lipton, R.: Protecting secret data from insider attacks. In: S. Patrick, A., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 16–30. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Rivest, R.: The MD5 message-digest algorithm. Technical Report RFC 1321, Internet Activities Board (1992)Google Scholar
  21. 21.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton (1996)CrossRefGoogle Scholar
  22. 22.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D., de Weger, B.: MD5 considered harmful today. In: Announced at the 25th Chaos Communication Congress (2008)Google Scholar
  24. 24.
    Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Forchino, L.: MD5 Decrypt online (2012),
  26. 26.
    Domains By Proxy: Hashcat–advanced password recovery (2012),

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Víctor Gayoso Martínez
    • 1
  • Luis Hernández Encinas
    • 1
  • Ascensión Hernández Encinas
    • 2
  • Araceli Queiruga Dios
    • 2
  1. 1.Information Security Institute (ISI)Spanish National Research Council (CSIC)MadridSpain
  2. 2.Department of Applied Mathematics, E.T.S.I.I. of BéjarUniversity of SalamancaSalamancaSpain

Personalised recommendations