Online learning platform Coursera said it has patched a vulnerability that left the names and email address of its nine million registered users potentially accessible to teachers registered with the service.
The issue was raised by Stanford professor Jonathan Mayer. A registered teacher on Coursera himself, Mayer found that the site’s use of autocomplete left its database exposed to a potential data dump using the same technique as Weev’s infamous incident with AT&T.
In addition, Mayer’s research suggested that third party websites could be manipulated to gain access to a Coursera’s student’s course registration history. The professor also raised issues with the company’s confusing ID privacy policy.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Coursera apologized for the issues in a blog post which confirmed it had “closed off the vulnerabilities that were uncovered” and worked with Mayer after he contacted them. That said, an investigation “found no reason to believe that these vulnerabilities were abused,” the company added.
Coursera stressed that it has worked with security professions while developing its site, but it had “focused less effort” on potential issues that would involve trusted partners such as teachers. That excuse seems rather flimsy given that the company has raised some $85 million (from a range of investors that include the World Bank and Yuri Milner’s DST Group), and the fact that these holes were fixed in a matter of days.
Image via Yuko Honda / Flickr
Get the TNW newsletter
Get the most important tech news in your inbox each week.