This top online learning platform had some serious security flaws

security threat
(Image credit: Shutterstock.com)

Update: A Coursera spokesperson contacted us with the following statement:

"The privacy and security of learners on Coursera is a top priority. We’re grateful to Checkmarx for bringing the low-risk API-related issues — which did not expose any personal data of learners, customers, or partners — to the attention of our security team last year, who were able to promptly address and resolve the issues."

Cybersecurity researchers have discovered an API vulnerability in Coursera that could have been abused to read and manipulate a users’ recent activity.

Coursera is one of the most popular online learning platforms around, claiming to be used by over 82 million people globally.

However analysis by security specialists Checkmarx discovered multiple API issues on Coursera including a Broken Object Level Authorization (BOLA) issue that affected a users’ preferences.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

“This vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also to somehow bias users’ choices, since manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user,” wrote Erez Yalon, Head of Security Research at Checkmarx.

Authorization issue

Explaining the issue Yalon writes that posing as regular users, the Checkmarx researchers were successfully able to request various preference data of other users by modifying the GET API requests. 

They then further fine tuned their method to demonstrate that even anonymous users wouldn’t have any issues in accessing the preferences of any registered user.

Critically however, they built upon the vulnerability to successfully modify any user’s preferences. 

Noting that authorization issues are quite common with APIs, Yalon says that API access control issues are one of the biggest security challenges.

“It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component,” concludes Yalon noting that Coursera has resolved the issues after they were responsible disclosed by Checkmarx.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.