A vulnerability in the Coursera API could allow the leakage of user data

Few days ago a vulnerability was disclosed in the popular online course platform Coursera and is that the problem he had was in the API, so it is believed that it is very possible that hackers could have abused the vulnerability "BOLA" to understand users' course preferences, as well as to skew a user's course options.

In addition to the fact that it is also believed that the recently revealed vulnerabilities could have exposed user data before being repaired. These flaws were discovered by researchers from the application security testing company Checkmarx and published during the past week.

Vulnerabilities relate to a variety of Coursera application programming interfaces and the researchers decided to delve into the security of Coursera due to its increasing popularity through switching to work and online learning due to the COVID-19 pandemic.

For those who are unfamiliar with Coursera, you should know that this is a company that has 82 million users and works with more than 200 companies and universities. Notable partnerships include the University of Illinois, Duke University, Google, the University of Michigan, International Business Machines, Imperial College London, Stanford University, and the University of Pennsylvania.

Various API issues were discovered including user / account enumeration via password reset feature, lack of resources limiting both the GraphQL API and REST, and incorrect GraphQL configuration. In particular, a broken object level authorization issue tops the list.

When interacting with the Coursera web application as regular users (students), we noticed that recently viewed courses were displayed in the user interface. To represent this information, we detect multiple API GET requests to the same endpoint: /api/userPreferences.v1/[USER_ID-lex.europa.eu~[PREFERENCE_TYPE}.

The BOLA API vulnerability is described as affected user preferences. Taking advantage of the vulnerability, even anonymous users were able to retrieve preferences, but also change them. Some of the preferences, such as recently viewed courses and certifications, also filter out some metadata. BOLA flaws in APIs can expose endpoints that handle object identifiers, which could open the door to broader attacks.

«This vulnerability could have been abused to understand the course preferences of general users on a large scale, but also to skew users' choices in some way, as the manipulation of their recent activity affected the content presented on the home page Coursera for a specific user, ”the researchers explain.

"Unfortunately, authorization problems are quite common with APIs," say the researchers. “It is very important to centralize access control validations in a single component, well tested, continuously tested and actively maintained. New API endpoints, or changes to existing ones, should be carefully reviewed against their security requirements. "

The researchers noted that authorization problems are quite common with APIs and that as such it is important to centralize access control validations. Doing so must be through a single, well-tested, and ongoing maintenance component.

Discovered vulnerabilities were submitted to Coursera's security team on October 5. Confirmation that the company received the report and was working on it came on October 26, and Coursera subsequently wrote Cherkmarx saying they had resolved the issues on December 18 through January 2 and Coursera then sent a report of new test with a new problem. Finally, On May 24, Coursera confirmed that all issues were fixed.

Despite the fairly long time from disclosure to correction, the researchers said the Coursera security team was a pleasure to work with.

"Their professionalism and cooperation, as well as the swift ownership they assumed, is what we look forward to when engaging with software companies," they concluded.

Source: https://www.checkmarx.com

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.