A Funny Thing Happened on the Way to Coursera (Web Policy)

by Jonathan Mayer, a computer scientist + lawyer at Stanford

[full post here]

I’m excited to be teaching Stanford Law’s first Coursera offering this fall, on government surveillance. In preparation, I’ve been extensively poking around the platform; while I found some snazzy features, I also stumbled across a few security and privacy issues.

  1. Any teacher can dump the entire user database, including over nine million names and email addresses.
  2. If you are logged into your Coursera account, any website that you visit can list your course enrollments.
  3. Coursera’s privacy-protecting user IDs don’t do much privacy protecting.

The balance of this piece provides some detail on each of the vulnerabilities.

Update 9/4: Coursera has acknowledged the issues, and claims they are “fully addressed.” The second vulnerability, however, still exists.

Update 9/6: Coursera appears to have imposed rate limiting on the APIs associated with the second vulnerability, mitigating the risk to users. A malicious website can now iterate over about 10% of the course catalog before having to wait.

Leave a Reply