A Funny Thing Happened on the Way to Coursera (Web Policy)

by Jonathan Mayer, a computer scientist + lawyer at Stanford

[full post here]

I’m excited to be teaching Stanford Law’s first Coursera offering this fall, on government surveillance. In preparation, I’ve been extensively poking around the platform; while I found some snazzy features, I also stumbled across a few security and privacy issues.

  1. Any teacher can dump the entire user database, including over nine million names and email addresses.
  2. If you are logged into your Coursera account, any website that you visit can list your course enrollments.
  3. Coursera’s privacy-protecting user IDs don’t do much privacy protecting.

The balance of this piece provides some detail on each of the vulnerabilities.

Update 9/4: Coursera has acknowledged the issues, and claims they are “fully addressed.” The second vulnerability, however, still exists.

Update 9/6: Coursera appears to have imposed rate limiting on the APIs associated with the second vulnerability, mitigating the risk to users. A malicious website can now iterate over about 10% of the course catalog before having to wait.

About Ryan C. Fowler

Ryan is a curricular fellow at the Center for Hellenic Studies in Washington D.C. He also teaches at Franklin and Marshall College and Lancaster Theological Seminary.
This entry was posted in Online Education Forum. Bookmark the permalink.

Leave a Reply