'Yan kwanaki da suka gabata an bayyana yanayin rauni a cikin sanannen dandamali na kan layi Coursera kuma shine cewa matsalar da ya samu ta kasance a cikin API, don haka an yi imanin cewa mai yiwuwa ne cewa masu satar bayanai za su iya cin zarafin yanayin "BOLA" don fahimtar fifikon kwasa-kwasan masu amfani, da kuma karkatar da zaɓin kwas ɗin mai amfani.
Baya ga gaskiyar cewa an kuma yi imanin cewa raunin da aka bayyana kwanan nan zai iya fallasa bayanan mai amfani kafin a gyara shi. Wadannan flaws da aka gano daga masu bincike daga kamfanin gwajin tsaro na aikace-aikace Alamar dubawa kuma an buga shi a cikin makon da ya gabata.
Ularfafawa dangantaka da nau'ikan musayar shirye-shiryen aikace-aikacen Coursera kuma masu binciken sun yanke shawarar shiga cikin tsaro na Coursera saboda karuwar shahararta ta hanyar sauyawa zuwa aiki da kuma koyon yanar gizo sakamakon cutar COVID-19.
Ga waɗanda basu san Coursera ba, ya kamata ku sani cewa wannan kamfani ne wanda ke da masu amfani da miliyan 82 kuma suna aiki tare da kamfanoni da jami'o'i sama da 200. Sanannen haɗin gwiwa ya haɗa da Jami'ar Illinois, Jami'ar Duke, Google, Jami'ar Michigan, Kasuwancin Kasuwancin Duniya, Kwalejin Imperial London, Jami'ar Stanford, da Jami'ar Pennsylvania.
An gano matsaloli daban-daban na API gami da ƙididdigar mai amfani / asusu ta hanyar fasalin sake fasalin kalmar sirri, rashin albarkatun da ke iyakance API na GraphQL da REST, da kuma daidaitaccen tsarin GraphQL. Musamman, batun fasalin matakin matakin abu karyayye ya mamaye jerin.
Lokacin hulɗa tare da aikace-aikacen yanar gizon Coursera azaman masu amfani na yau da kullun (ɗalibai), mun lura cewa kwanan nan an koyar da kwasa-kwasan da aka nuna a cikin keɓaɓɓiyar mai amfani. Don wakiltar wannan bayanin, za mu gano buƙatun API GET da yawa zuwa daidai wannan ƙarshen: /api/userPreferences.v1/=USER_ID-lex.europa.eu~=PREFERENCE_TYPE}.
An bayyana raunin API na BOLA azaman fifikon mai amfani da abin ya shafa. Yin amfani da raunin, har ma masu amfani da ba a san su ba sun sami damar dawo da abubuwan da ake so, amma kuma canza su. Wasu abubuwan fifiko, kamar su karatun kwalliya da takaddun shaida kwanan nan, suma suna tace wasu metadata. BOLA flaws a cikin APIs na iya fallasa ƙarshen maki wanda ke ɗaukar alamun gano abu, wanda zai iya buɗe ƙofar kai hare-hare.
«An iya cutar da wannan yanayin don fahimtar abubuwan da ake so na masu amfani da su a babban sifa, amma kuma don karkatar da zaɓin masu amfani ta wata hanya, kamar yadda magudi da ayyukansu na kwanan nan ya shafi abubuwan da aka gabatar a shafin gida Coursera don takamaiman mai amfani, ”in ji masu binciken.
Masu binciken sun ce "Abin takaici, matsalolin bayar da izini sun zama ruwan dare game da APIs." “Yana da matukar mahimmanci a karkatar da ingancin ikon sarrafawa a cikin abu guda, ingantacce an gwada shi, ana ci gaba da gwada shi kuma ana kiyaye shi sosai. Sabbin wuraren ƙarshen API, ko canje-canje ga waɗanda ke akwai, ya kamata a sake nazarin su da kyau game da buƙatun tsaron su. "
Masu binciken sun lura cewa matsalolin izini sun kasance gama-gari tare da APIs kuma saboda haka yana da mahimmanci a daidaita ingancin ikon sarrafawa. Yin hakan dole ne ya kasance ta hanyar abu guda, ingantacce, kuma mai ci gaba.
An gabatar da raunin ganowa ga ƙungiyar tsaro ta Coursera a ranar 5 ga Oktoba. Tabbatar da cewa kamfanin ya karbi rahoton kuma yana aiki a kansa ya zo ne a ranar 26 ga watan Oktoba, kuma daga baya Coursera ta rubuta Cherkmarx inda ta ce sun warware matsalolin a ranar 18 ga Disamba zuwa 2 ga Janairu sannan Coursera sai ta aika da rahoton sabon gwaji da wata sabuwar matsala. A ƙarshe, A ranar 24 ga Mayu, Coursera ya tabbatar da cewa an daidaita dukkan al'amuran.
Duk da cewa an dauki lokaci mai tsawo daga bayyanawa zuwa gyara, masu binciken sun ce kungiyar tsaro ta Coursera ta yi farin cikin aiki da ita.
"Ismwarewar su da haɗin kan su, gami da saurin mallakar da suka ɗauka, shine muke sa ran lokacin da muke hulɗa da kamfanonin software," in ji su.
Source: https://www.checkmarx.com