Coursera API vulnerabilities disclosed by researchers

Coursera took “prompt ownership” of the bugs, once reported.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed a set of API vulnerabilities in the Coursera platform. 

On Thursday, Checkmarx security researcher Paulo Silva revealed the discovery of multiple security failings in the Coursera online learning platform, which caters to millions of learners, both at home and in the enterprise.

The company collaborates with over 200 universities and companies, including Stanford University, Duke University, AWS, Google, Cisco, and IBM. Courses on offer range from degrees in the STEM field to shorter classes in health, the humanities, and languages. 

Silva says that Checkmarx decided to investigate Coursera's security posture due to the increased popularity of remote and on-demand learning prompted by the COVID-19 pandemic, in line with the organization's Vulnerability Disclosure Program, launched in 2015.

The researchers focused on access control, a security point mentioned in the program as an in-scope issue: accessing data you are not authorized to, that of other learners, or being able to tap into internal, backend administrative systems. 

Checkmarx found multiple API problems, including an enumeration via password reset function error, resource limitations relating to both a GraphQL and a REST API, and a GraphQL misconfiguration. 

However, the main issue of note was a Broken Object Level Authorization (BOLA) security flaw, considered by OWASP to be a major threat due to the ease of exploitation. 

BOLA flaws in APIs may expose endpoints that handle object identifiers, potentially opening the door to wider attacks. 

The BOLA vulnerability that was found related to preferences stored in learner accounts. Anonymous users could retrieve this information and change them -- and in addition, some user metadata was also leaked. 
"Authorization issues are, unfortunately, quite common with APIs," the researchers say. "It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements."

Checkmarx reported its findings to Coursera on October 5, 2020, and the e-learning provider began to triage the report on October 26. By December 18, a partial patch was issued, but an additional "issue" required re-tests, delaying the confirmation of fixes until May 24.

Despite delays in fully resolving the vulnerabilities, the researchers say that Coursera took "prompt ownership" of the API bugs, once reported. 

"The privacy and security of learners on Coursera is a top priority," Coursera told ZDNet. "We're grateful to Checkmarx for bringing the low-risk API-related issues to the attention of our security team last year, who were able to address and resolve the issues promptly."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards