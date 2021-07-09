Cybersecurity researchers have discovered an API vulnerability in Coursera that could have been abused to read and manipulate a users’ recent activity.

Coursera is one of the most popular online learning platforms around, claiming to be used by over 82 million people globally.

However analysis by security specialists Checkmarx discovered multiple API issues on Coursera including a Broken Object Level Authorization (BOLA) issue that affected a users’ preferences.

“This vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also to somehow bias users’ choices, since manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user,” wrote Erez Yalon, Head of Security Research at Checkmarx.

Authorization issue

Explaining the issue Yalon writes that posing as regular users, the Checkmarx researchers were successfully able to request various preference data of other users by modifying the GET API requests.

They then further fine tuned their method to demonstrate that even anonymous users wouldn’t have any issues in accessing the preferences of any registered user.

Critically however, they built upon the vulnerability to successfully modify any user’s preferences.

Noting that authorization issues are quite common with APIs, Yalon says that API access control issues are one of the biggest security challenges.

“It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component,” concludes Yalon noting that Coursera has resolved the issues after they were responsible disclosed by Checkmarx.