Coursera seems to have some issues with security, according to some researchers lately. First, they found a serious application programming interface (API) problem, more precisely, a Broken Object Level Authorization (BOLA) issue that could have exposed personal data!
Info background about Coursera
Coursera Inc. (COUR) is an online education provider that provides students with many open online courses (MOOCs), professional courses, and even degrees. Coursera was founded in 2012 by Stanford University computer science professors Andrew Ng and Daphne Koller and did not create educational content. Instead, the company works with universities and other organizations to provide them with an online platform that students pay to access.
- it offers products at a wide range of prices, from free courses to $30.000 degree programs
- from 2020, Coursera managed to raise $464 million in multiple series of fundraising
- on March 31 2021, Coursera offered more than 15 million shares at $33 each
- the online education provider is partnered with more than 200 universities, nonprofits and businesses
- they want to expand in Latin America, and most recently, Coursera partnered with Universities in Colombia, Mexico and Argentina to expand its reach.
- the platform is used by 82 million learners and hundreds of Fortune 500 companies
What actually happened?
The Checkmarx Security Research Team published a report on Thursday on its findings. Issues found included:
- user and account enumeration via the reset password feature
- lack of resources limiting on both GraphQL (an open-source data query and manipulation language for APIs) and REST API (representational state transfer)
- a GraphQL misconfiguration
- a Broken Object Level Authorization (BOLA) issue that affect users’ preferences
BOLA is the number one security issue in the Top 10 list of API security issues from OWASP because these issues are so easy to exploit, and it is hard to defend against the threat “in an organized way.”
Coursera’s BOLA issue, which is now fixed, meant that “anonymous users” could restore and change user preferences, according to the report written by Paulo Silva, one of the security researchers. In addition, some of the user preferences, like recently viewed courses and certifications, also leaked some metadata (such as activity date and time).
In the report mentioned, Silva said that Checkmarx was inspired to check out Coursera’s security posture given how “remote everything,” including on-demand and e-learning courses, has boosted during the pandemic.
According to estimates, remote learning and training will be a $350 billion industry by 2025, up from $18 billion in 2019.
Coursera pointed out in its Vulnerability Disclosure Program that the issue of access control is a security concern. This includes when unauthorised users can obtain other users’ private data, such as their grades or private forum posts. Other security issues covered by the platform’s disclosure plan are those that enable users to confuse other learners, including allowing scripts to run on other users’ browsers or changing other users’ grades. Finally, the plan covers leaks that expose Coursera’s internal management control system.
Paulo Silva explained that the BOLA issue “perfectly fits” Coursera’s concerns about access control issues. “This vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also to somehow bias users’ choices, since manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user.”
Leaky APIs and how they affect the system
Shortly put, APIs are an intermediary between applications that define how they can communicate to each other and that enable them to change information.
However, API leaks are not uncommon and have often been the cause of major security issues. For example, uncertain APIs are what led to Experian leaking most Americans’ credit scores in April. I May, also a leaky API, exposed Peloton riders’ information.
Poorly programmed APIs are an obvious attack vector and one of the most common threat vectors used to obtain data with poorly secured applications. They are as common as spring dandelions:
When researchers Alissa Knight and Approov tried to break into the APIs of 30 different mobile medical application providers, they found that they were all more or less vulnerable. 77% of them contain hard-coded API keys, some of which will not expire, which will allow attackers to intercept API information exchanges. In addition, 7% of these APIs belonged to third-party payment processors, and they explicitly warn against hard-coding their secret keys in simple text.
100% of API endpoints tested were vulnerable to BOLA attacks, found Alissa Knight. That fact allowed the researcher to view the PHI (personal health information) and PII (personally identifiable information) for patients that weren’t assigned to the researcher’s account. In his report, Silva stated that API access control issues are “one of the biggest security problems facing APIs.”
He also said that:
“As vulnerable APIs increasingly fall into adversaries’ sights, it’s critical that developers receive proper education on best practices for embedding security into their design from the get-go.”Paulo Silva
Checkmarx revealed its findings to Coursera’s security team in October. By May 24, 2021, Coursera had resolved all the API issues, including a new one that the security team found and reported in January.
Timeline of the research:
- October 5, 2020 – Checkmarx sent full report to Coursera’s security team
- October 26, 2020 – Coursera acknowledged receiving the report and working on it
- December 18, 2020 – Coursera wrote they resolved all issues
- January 2, 2021 – Checkmarx sent a re-test report with one new issue
- May 24, 2021 – Coursera confirmed all issues are fixed
- July 8, 2021 – Public disclosure
A spokesperson from Coursera said that:
“The privacy and security of learners on Coursera is a top priority. We’re grateful to Checkmarx for bringing the low-risk API-related issues — which did not expose any personal data of learners, customers, or partners — to the attention of our security team last year, who were able to address and resolve the issues promptly.”Coursera’s Spokeperson