14 DAY TRIAL // Recent findings of several security flaws in the Coursera online learning platform have been revealed, according to ZDNet. A significant vulnerability, known as a Broken Object Level Authorization (BOLA) issue, was present in the vulnerable APIs and it could have exposed sensitive information.
Due to the popularity of Coursera, researchers decided to take a peak into their security practices. A security point dubbed as access control is listed in the program as an in-scope concern. This included accessing data that you were not authorized to see, data belonging to another student, and being able to access the backend administrative systems.
Checkmarx discovered a number of API issues, including a REST API, a listing via password reset function error, resource constraints linked to both a GraphQL and a GraphQL misconfiguration, amongst other difficulties. Nonetheless, the most significant security vulnerability to be identified was a Broken Object Level Authorization (BOLA) vulnerability.
BOLA vulnerabilities allow for the unauthorized disclosure of database records
According to the study published by security researcher Paulo Silva, Coursera's BOLA flaw permitted anonymous users to retrieve and update user preferences as well as manipulate the platform. Some user preferences, such as recently seen courses and certificates, exposed metadata including the date and time of the activity, for example.
In the interim, the problem has been resolved. Security researchers explained, "Authorization issues are, unfortunately, quite common with APIs,"[...]"It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements."
Course assured its consumers that student security and privacy on their platform is a top priority for them. They also thanked Checkmarx for alerting their security team to the API issue last year, that allowed them to address and resolve the concerns quickly.