Coursera privacy issues exposed
Posted on 05 September 2014.
When well-known lawyer and Stanford law lecturer Jonathan Mayer was invited to teach a course on government surveillance on Coursera, the popular online website offering free online university-level courses, he was excited.

But being also a computer scientist, he didn't resist analyzing and poking around the platform that enables the teachers to teach and the course-takers to learn, and he found some issues that can be exploited to compromise the privacy of the students, namely to:
  • Make a complete list of all the students (names and email addresses),
  • Reveal information about the courses they take to random websites, and
  • Undo the protection (supposedly) provided them by the use of external and internal IDs.
To prove the exploitation potential of his findings, he created PoC code for the first two vulnerabilities. He has managed to fetch 1,000 user names and email addresses from the student database, and for extracting course information about the users, he implemented code in a test page that retrieves it.

The last issue had to do with the fact that external IDs were easily reversible hashes of either a small number or the internal ID and, knowing this, it is trivial to build a dictionary of internal and external IDs, Mayer noted. But this particular problem can be easily solved by removing external IDs altogether, as their existence and use does not bring any security or privacy benefit, he pointed out.

He notified Coursera of all of these pitfalls, and the company has partially solved the first one but has yet to address the second one. Luckily, changes to solve these problems should be easy to implement.

For more information about the flaws, check out the original blog post.










Spotlight

(IN)SECURE Magazine issue 43 released!

Posted on 16 September 2014.  |  (IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. This issue covers web application security, mobile hacking, certification, Black Hat, and much more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Sep 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //