When well-known lawyer and Stanford law lecturer Jonathan Mayer was invited to teach a course on government surveillance on Coursera, the popular online website offering free online university-level courses, he was excited.
But being also a computer scientist, he didn’t resist analyzing and poking around the platform that enables the teachers to teach and the course-takers to learn, and he found some issues that can be exploited to compromise the privacy of the students, namely to:
- Make a complete list of all the students (names and email addresses),
- Reveal information about the courses they take to random websites, and
- Undo the protection (supposedly) provided them by the use of external and internal IDs.
To prove the exploitation potential of his findings, he created PoC code for the first two vulnerabilities. He has managed to fetch 1,000 user names and email addresses from the student database, and for extracting course information about the users, he implemented code in a test page that retrieves it.
The last issue had to do with the fact that external IDs were easily reversible hashes of either a small number or the internal ID and, knowing this, it is trivial to build a dictionary of internal and external IDs, Mayer noted. But this particular problem can be easily solved by removing external IDs altogether, as their existence and use does not bring any security or privacy benefit, he pointed out.
He notified Coursera of all of these pitfalls, and the company has partially solved the first one but has yet to address the second one. Luckily, changes to solve these problems should be easy to implement.
For more information about the flaws, check out the original blog post.