What can we learn from the Coursera API-story?

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at University of Public Service

Created: 2021-07-21

A number of security vulnerabilities have been found and disclosed in the Coursera online learning platform. Csaba Krasznay summarizes the key learning points of the story.

The emergence of COVID-19 required immediate action in several areas. The primary objective of the measures carried out immediately at the start of the emergency was to protect the health of the public and to avoid harm, though their secondary effects could not necessarily be predicted. To create the conditions for distance learning and to develop remote working capabilities necessary to maintain the function of the economy, enormous modifications had to be made in a short timespan to existing IT systems, while the introduction of new software was also needed. At the same time, there was also a significant increase in the risk from several cybersecurity issues affecting both systems and users during this period.

Based on the experience of digital education, a selected platform should have the following features:

  • It must meet European data protection requirements, generally speaking the GDPR
  • It must ensure the special protection of children's personal data
  • It should include some specific privacy-enhancing technologies
  • It should support incident management in case of misuse of the platform
  • The developer should patch any detected vulnerabilities as soon as possible
  • It should support institutional identity and access management

At Coursera, one of the largest distance learning platforms worldwide, we witnessed a failure of the latter point due to some bad APIs . According to the report released in July 2021, Checkmarx Security Research Team (https://www.checkmarx.com/blog/technical-blog/api-crash-course-broken-object-level-authorization-found-in-coursera/) made a detailed analysis on the APIs inside Coursera’s Vulnerability Disclosure Program and discovered multiple API issues, including “user/account enumeration via the reset password feature, lack of resources limiting on both a GraphQL and REST API, and a GraphQL misconfiguration.” Moreover, they even found Broken Object Level Authorization (BOLA), which is listed at the top of OWASP’s Top 10 API security issues (https://owasp.org/www-project-api-security/). Throughout this vulnerability, the researchers were able to retrieve and modify the user preferences. Coursera cooperated with Checkmarx and fixed the vulnerabilities before the public announcement.

Coursera is another case that reminds us of the importance of API security, and it makes sense to highlight here some lessons learned from this story.

First, personal data is everywhere. A modern digital service cannot operate without data. At first glance, this data might not be classic personal data like a name or address. However, we do construct user profiles from these data pieces, which means that they quickly become personal data, and are therefore in need of protection. Our advice is to keep your eyes on all your collected, transmitted, and even processed data to avoid any future problems.

Second, Coursera has a bug bounty program, something that is still rare among those providing digital services. At Balasys, we highly recommend starting a bug bounty program or joining an existing platform. Do not give cybercriminals the chance to find vulnerable APIs in your service and sell the stolen information on the Darknet. It is far safer if capable people are working in a regulated cybersecurity framework without the risk of carrying out questionable activities.

Third, Checkmarx has a great solution for secure application development. As their recommendation says, “Authorization issues are, unfortunately, quite common with APIs. It is very important to centralize access control validations in a single, well and continuously tested, and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements.” Our experience is the same. Without a central API security management solution, these interfaces can quickly become a high-risk vulnerability on your digital service’s surface. If you want to learn more about API security, please visit our solution page.