Coursera’s newly discovered flaws may have exposed private user data

Coursera’s newly discovered flaws may have exposed private user data

It is emerging that online education provider Coursera may have exposed user data. The revelation comes after researchers at Checkmarx, an application security testing company, found vulnerabilities in Coursera’s platform.

The flaws were publicized on Thursday and relate to a range of Coursera’s APIs (application programming interfaces).

The researchers decided to take a look into Coursera’s security because of its increasing popularity, driven by the switch to online work and learning, in the wake of a pandemic that has lasted for more than a year now.

The exposed and the flaws

Coursera is a venture capital-funded company with 82 million users, including more than 200 universities and companies.

Some of its notable partners include the University of Illinois, Duke University, University of Michigan, Google, International Business Machines, University of Pennsylvania, Imperial College London, and Standford University.

Several issues were discovered, including user/account enumeration via the reset password feature, a GraphQL misconfiguration, and lack of resources limiting in both the REST API and GraphQL. At the top of this list of vulnerabilities, is a Broken Object Level Authorization issue.

What the flaws enabled

The BOLA API flaw affects user preferences. If exploited, the vulnerability could be used anonymously to retrieve preferences and even change them. Some of the preferences that could be viewed include recently accessed courses and certifications that leak some metadata.

The researchers explain that the vulnerability could have been abused to get information about general user’s courses preferences at a large scale, but also bias users’ choices because manipulating recent activity could affect the content rendered on the homepage for specific users.

It seems, the researchers added, these issues are common in APIs and that it is important to centralize access control validations to avoid them.