Online learning platform Coursera said it has patched a vulnerability that left the names and email address of its nine million registered users potentially accessible to teachers registered with the service.
The issue was raised by Stanford professor Jonathan Mayer. A registered teacher on Coursera himself, Mayer found that the site’s use of autocomplete left its database exposed to a potential data dump using the same technique as Weev’s infamous incident with AT&T.
Coursera apologized for the issues in a blog post which confirmed it had “closed off the vulnerabilities that were uncovered” and worked with Mayer after he contacted them. That said, an investigation “found no reason to believe that these vulnerabilities were abused,” the company added.
Coursera stressed that it has worked with security professions while developing its site, but it had “focused less effort” on potential issues that would involve trusted partners such as teachers. That excuse seems rather flimsy given that the company has raised some $85 million (from a range of investors that include the World Bank and Yuri Milner’s DST Group), and the fact that these holes were fixed in a matter of days.
Image via Yuko Honda / Flickr