Following a string of spam incidents on ELMS during the last week of February, the developer of the learning management system is monitoring third-party applications on the site more closely.

The messages, which students said began circulating abround Feb. 24 and continued until March 1, promoted a site called oneclass.com. The site was ostensibly a resource for notes and study material, but when students clicked on the link, their Enterprise Learning Management System accounts were hijacked and sent the same spam messages to members of many of their classes.

Once this university’s Division of Information Technology informed it of the problem, Instructure Canvas, the developer that runs ELMS, revoked the access of OneClass, a study-resource company located in Toronto that had been using the spam for marketing, a spokeswoman said.

ELMS allows third-party applications to integrate into the site through application program interfaces, said Melissa Loble, head of Canvas partnerships. This allows services such as clicker registration through the site and integration of YouTube videos.

However, Canvas has a clear policy against these applications using blast messaging or sending messages through accounts without the individual’s knowledge or choice, Loble said.

“As soon as we found out they were doing something in violation of our policy, particularly the spamming, we revoked their access,” she said.

Loble said third-party applications are still an essential part of ELMS, adding that OneClass has proved the only problem among nearly 200 applications. She said Canvas will now review the applications more closely and ensure their policies are understood.

“They are literally looking at their policies to make sure this type of technical glitch does not happen again,” said Phyllis Johnson, DIT communications director.

No student information was accessed by OneClass, Loble said, and the site’s access to Canvas is still revoked.

Marcio Oliveira, DIT executive director of learning technology services, wrote in a news release that Canvas is working to make sure there are “no other outstanding API tokens that OneClass can use to act on the behalf of any UMD user of ELMS,”

This “technical glitch” serves as a reminder to carefully analyze incoming emails before clicking on links, Oliveira wrote.

Senior Michael Xue, whose ELMS account sent out spam messages to many of his classes after he clicked on the link, said this university and Canvas should do more to make sure the problem doesn’t arise again.

“Technically, it’s a small issue, but it could make a big problem in the future,” the management and mechanical engineering major said, noting that if a third-party application could send messages from trusted student accounts, other sophisticated programs could possibly do more damage.

He said loopholes need to be fixed and Canvas should do a more in-depth review of third-party applications before allowing them.

While clicker programs have a clear use on Canvas, sites like OneClass have no obvious reason for integration, he said.

He said he also wished DIT had tried harder to inform students of the issue.

“It would be nice if they sent out a mass email about this,” he said.