But being also a computer scientist, he didn't resist analyzing and poking around the platform that enables the teachers to teach and the course-takers to learn, and he found some issues that can be exploited to compromise the privacy of the students, namely to:
- Make a complete list of all the students (names and email addresses),
- Reveal information about the courses they take to random websites, and
- Undo the protection (supposedly) provided them by the use of external and internal IDs.
The last issue had to do with the fact that external IDs were easily reversible hashes of either a small number or the internal ID and, knowing this, it is trivial to build a dictionary of internal and external IDs, Mayer noted. But this particular problem can be easily solved by removing external IDs altogether, as their existence and use does not bring any security or privacy benefit, he pointed out.
He notified Coursera of all of these pitfalls, and the company has partially solved the first one but has yet to address the second one. Luckily, changes to solve these problems should be easy to implement.
For more information about the flaws, check out the original blog post.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.