Jonathan Mayer, a computer scientist and lawyer, is teaching Stanford Law’s first Coursera class beginning in October. While setting everything up, he’s been “extensively poking around the platform,” and in the process he found a bunch of vulnerabilities, which he outlined them in a blog post. Now Coursera is patching them.
Mayer pointed out that any registered Coursera instructor could use the site’s autocomplete feature to access the platform’s whole user database, which includes information like names and email addresses for 9 million accounts. He also noticed that once users were logged into Coursera, third-party services could potentially access their course registration histories.
In a statement posted early Friday morning, Coursera said that it has patched the vulnerabilities:
We deeply apologize to our learners for any potential risk to their privacy. In our investigation, we have found no reason to believe that our learners’ personal information has been abused. Our team responded immediately to Dr. Mayer’s report, and has now closed off the vulnerabilities that were uncovered. We continue to monitor and improve our platform to provide the best and safest experience to all learners.
It’s heartening that Coursera reacted so quickly to fix the security flaws, but it is a little strange that in its statement Coursera admits to “focus[ing] less effort on deflecting malicious attacks that might be made by one of our trusted partners.” It makes sense to assume that a partner in good standing won’t itself initiate an attack, but leaving data exposed that should be private is problematic no matter what. A malicious hacker can exploit a “trusted partner” just as easily as an untrusted one if a vulnerability exists.