Skip to main content

Update from Canvas: OneClass Chrome plugin behaves like malware

Please read this warning from Canvas.


Canvas Admin Alert
OneClass Chrome plugin behaves like malware; Instructure's security team advises Canvas users not to install it and to remove it if they've already installed it

The “OneClass” Chrome extension behaves like malware. It can affect users of several LMSs, including Canvas. OneClass is not affiliated with Instructure in any way.

When a user installs the OneClass Chrome extension, it asks for permission to “read and change all your data on websites you visit.” If a user grants this permission, the plugin places a button in the user’s LMS (Canvas or other) labeled “Invite your classmates to OneClass.” If the user clicks this button, OneClass sends messages to all of the other users enrolled in the course via the LMS’s messaging system (for Canvas, that’s Conversations). Each message says:

Hey guys, I just found some really helpful notes for the upcoming exams for [school name] courses at I highly recommend signing up for an account now that way your first download is free!

We suggest you strongly encourage your users not to install or use the OneClass Chrome extension and to remove it if they’ve already installed it. The phishing-like “invite your classmates” behavior is bad enough, and the permission the extension prompts users to grant theoretically allows it to do even more unpleasant things.


Canvas Security Team