This top online learning platform had some serious security flaws
Coursera says issue has now been fixed
Update: A Coursera spokesperson contacted us with the following statement:
"The privacy and security of learners on Coursera is a top priority. We’re grateful to Checkmarx for bringing the low-risk API-related issues — which did not expose any personal data of learners, customers, or partners — to the attention of our security team last year, who were able to promptly address and resolve the issues."
Cybersecurity researchers have discovered an API vulnerability in Coursera that could have been abused to read and manipulate a users’ recent activity.
Coursera is one of the most popular online learning platforms around, claiming to be used by over 82 million people globally.
However analysis by security specialists Checkmarx discovered multiple API issues on Coursera including a Broken Object Level Authorization (BOLA) issue that affected a users’ preferences.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
- Shield yourself with these best identity theft protection services
- We've put together a list of the best endpoint protection software
- These are the best malware removal software on the market
“This vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also to somehow bias users’ choices, since manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user,” wrote Erez Yalon, Head of Security Research at Checkmarx.
Authorization issue
Explaining the issue Yalon writes that posing as regular users, the Checkmarx researchers were successfully able to request various preference data of other users by modifying the GET API requests.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
They then further fine tuned their method to demonstrate that even anonymous users wouldn’t have any issues in accessing the preferences of any registered user.
Critically however, they built upon the vulnerability to successfully modify any user’s preferences.
Noting that authorization issues are quite common with APIs, Yalon says that API access control issues are one of the biggest security challenges.
“It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component,” concludes Yalon noting that Coursera has resolved the issues after they were responsible disclosed by Checkmarx.
- Protect your devices with these best antivirus software
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.