This post has been edited to include a comment from Coursera

Newly disclosed vulnerabilities in platform services provided by online education provider Coursera Inc. could have exposed user data before being fixed.

Discovered by researchers at application security testing company Checkmarx Ltd. and publicized today, the vulnerabilities relate to a range of Coursera application programming interfaces. The researchers decided to dig into Coursera’s security because of its increasing popularity through the switch to online work and learning due to the COVID-19 pandemic.

Coursera, a venture capital-funded company, has 82 million users and works with more than 200 companies and universities. Notable partnerships include the University of Illinois, Duke University, Google LLC, University of Michigan, International Business Machines Corp., Imperial College London, Stanford University and the University of Pennsylvania.

Multiple API issues were discovered, including user/account enumeration via the reset password feature, lack of resources limiting on both a GraphQL and REST API, and a GraphQL misconfiguration. In particular, a Broken Object Level Authorization issue tops the list.

The BOLA API vulnerability is described as affected user preferences. By exploiting the vulnerability, even anonymous users were able to retrieve preferences but also change them. Some of the preferences, such as recently viewed courses and certifications also leak some metadata.

“This vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also to somehow bias users’ choices, since manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user,” the researchers explain.

The researchers noted that authorization issues are quite common with APIs and that as such, it is important to centralize access control validations. Doing so should be through a single, well and continuously tested and maintain component.

The vulnerabilities discovered were sent to Coursera’s security team on Oct. 5. Confirmation that the company has received the report and was working on it came Oct. 26, with Coursera subsequently writing to Cherkmarx saying they had resolved the issues on Dec. 18. Forward to Jan. 2 and Coursera then sent a re-test report with one new issue. Eventually, on May 24, Coursera confirmed that all issues were all fixed.

Despite the rather long timeline from disclosure to fix, the researchers said it was a pleasure working with the Coursera security team. “Their professionalism and cooperation, as well as the prompt ownership they took, are what we hope for when we engage with software companies,” they concluded.

A spokesperson for Coursera reached out to SiliconANGLE after the publication of this story and noted that “the privacy and security of learners on Coursera is a top priority.”

“We’re grateful to Checkmarx for bringing the low-risk API-related issues — which did not expose any personal data of learners, customers, or partners — to the attention of our security team last year, who were able to promptly address and resolve the issues,” the spokesperson added.

Photo: Coursera