Update: A Coursera spokesperson contacted us with the following statement:
"The privacy and security of learners on Coursera is a top priority. We’re grateful to Checkmarx for bringing the low-risk API-related issues — which did not expose any personal data of learners, customers, or partners — to the attention of our security team last year, who were able to promptly address and resolve the issues."
Cybersecurity (opens in new tab) researchers have discovered an API vulnerability in Coursera that could have been abused to read and manipulate a users’ recent activity.
Coursera is one of the most popular online learning platforms (opens in new tab) around, claiming to be used by over 82 million people globally.
However analysis by security specialists Checkmarx discovered multiple API issues on Coursera including a Broken Object Level Authorization (BOLA) issue that affected a users’ preferences.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
>> Click here to start the survey in a new window (opens in new tab) <<
- Shield yourself with these best identity theft protection services (opens in new tab)
- We've put together a list of the best endpoint protection (opens in new tab) software
- These are the best malware removal (opens in new tab) software on the market
“This vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also to somehow bias users’ choices, since manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user,” wrote (opens in new tab) Erez Yalon, Head of Security Research at Checkmarx.
Explaining the issue Yalon writes that posing as regular users, the Checkmarx researchers were successfully able to request various preference data of other users by modifying the GET API requests.
They then further fine tuned their method to demonstrate that even anonymous users wouldn’t have any issues in accessing the preferences of any registered user.
Critically however, they built upon the vulnerability to successfully modify any user’s preferences.
Noting that authorization issues are quite common with APIs, Yalon says that API access control issues are one of the biggest security challenges.
“It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component,” concludes Yalon noting that Coursera has resolved the issues after they were responsible disclosed by Checkmarx.
- Protect your devices with these best antivirus software (opens in new tab)