Checkmarx security research team analyzed the security posture of the Coursera platform since “remote everything” became the norm. The access control issues are the most important concern of this platform.
The report says the Coursera network includes 82 million learners, 100+ Fortune 500 companies, and more than 6,000 campuses, businesses, and governments.
A few of its prominent partners include the University of Illinois, Duke University, University of Michigan, Google, International Business Machines, University of Pennsylvania, Imperial College London, and Standford University.
Broken Object Level Authorization (BOLA) API Vulnerability
The security research team found several API issues like user/account enumeration via the reset password feature, lack of resources limiting on both a GraphQL and REST API, and a GraphQL misconfiguration.
However particularly, the Broken Object Level Authorization (BOLA) issue was found to rightly fit Coursera’s access control concerns.
This BOLA API issue affected the users’ preferences. If exploited, even anonymous users were not able to retrieve their preferences and even change them. Some of these preferences, such as recently viewed courses and certifications, also leaked some metadata (e.g. activity date/time).
Researchers added saying this vulnerability could have been abused to understand general users’ courses preferences at a large scale, but also bias users’ choices, as manipulating their recent activity affected the content rendered on Coursera’s homepage for a specific user.
“We started stripping the original request of cookies and headers, to come up with the conclusion that even anonymous users would have access to any user preferences”, the research team from Checkmarx.
The risk involved with this vulnerability is authorization issues which directly impact data privacy, data integrity, user trust, and ultimately business reputation. The risk is increasingly high depending on what type of data unauthorized users get access to or can manipulate (e.g., financial/payments).
Therefore, the Checkmarx security team mentions that “Authorization issues are, unfortunately, quite common with APIs. It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component.”
So it is recommended that new API endpoints, or changes to the existing ones, should be vigilantly reviewed as regards the security requirements.
Checkmarx disclosed its findings to Coursera’s security team in October. By May 24, 2021, Coursera had resolved all the API issues, including a new one that Checkmarx found and reported in January.
Despite delays in fully resolving the vulnerabilities, the researchers say that Coursera took “prompt ownership” of the API bugs, once reported. According to the security researcher Paulo Silva, “ As vulnerable APIs increasingly fall into adversaries’ sights, it’s critical that developers receive proper education on best practices for embedding security into their design from the get-go.”