Stanford Professor Finds Holes in Coursera Security

It appears, according to Jonathan Mayer, a Stanford doctoral candidate, that there are several security issues in the Coursera online instruction site.

Mayer is set to teach a class on the Coursera platform this October for Stanford, but he posted on his blog last week that the security weaknesses could allow unauthorized third-party access to a student’s information.  His claim is that the normal password and ID protection does not seem to be enough to keep this from happening.

“Any teacher can dump the entire user database, including over 9 million names and email addresses,” Mayer said. “If you are logged into your Coursera account, any website that you visit can list your course enrollments.”

Brennan Saeta, Coursera’s information security officer, has apologized, and Coursera has moved to quickly to correct these issues.

“Our team responded immediately to Dr. Mayer’s report, and has now closed off the vulnerabilities that were uncovered,” Saeta said. “We continue to monitor and improve our platform to provide the best and safest experience to all learners.”

Caelainn Carney, Helen Broad, and Tyrone Cadogan, writing for the University of Virginia’s student newspaper The Cavalier Daily, say that the university has hosted many Coursera classes before and plans to continue doing so this school year. The University of Virginia director of online learning programs, Kristen Palmer, says there are extra precautions taken for the university’s students so that these sorts of problems are less likely to occur. She noted that all students had to use their Netbadge logins to access their Coursera courses.

Palmer says that Mayer may have found these breaches because he is himself a professor who specializes in security risks.  She adds that Virginia’s involvement with Coursera is so small that she is not concerned about any substantial breaches.  Still, there are students who are not registered at Virginia who will be taking some of the courses, and they do not have access the extra security measures.

Coursera took a defensive stand on the discovery.  They were emphatic in their response.  They wrote on the Coursera Blog that Critical information like credit cards were at no time accessible to security thieves; individual student email addresses were visible only to other Coursera-hosted course instructors; individual learner enrollment information could potentially be available if the learner went to a site running malware, which is a constant risk online; there is no evidence that learner data was exposed; and any security gaps that did exist have been fully addressed.

But Mayer does point out some other glitches that Coursera did not cover in their “mea culpa” blog, say Cromwell Schubarth of Silicon Valley Business Journal.  First, he found that any registered Coursera instructor could access the platform’s entire user base, and students who are logged into their Coursera account when they went to a website could both see and list the courses in which they were enrolled.

“Coursera’s privacy-protecting user IDs don’t do much privacy protecting,” he wrote.

Jon Russell, writing for TheNextWeb, says that this breach had elements that were very similar to the technique used in Andrew “Weev” Auernheimer’s infamous incident with AT&T.  He adds that Coursera thanked Mayer for his input and added that, although they had worked with security professionals, they had not made steps to ensure that trusted partners, such as teachers, would create potential issues.