Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses

← Back to Stories (view on slashdot.org)

Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses

Posted by timothy on Thursday September 4, 2014 @07:35AM from the don't-I-know-you-from-the-semiotics-class? dept.

An anonymous reader writes Coursera, the online education platform with over 9 million students, appears to have some serious privacy shortcomings. According to one of Stanford's instructors, 'any teacher can dump the entire user database, including over nine million names and email addresses.' Also, 'if you are logged into your Coursera account, any website that you visit can list your course enrollments.' The attack even has a working proof of concept [note: requires Coursera account]. A week after the problems were reported, Coursera still hasn't fixed them.

31 comments

Min score:

Reason:

Sort:

And, once again ... by gstoddart · 2014-09-04 07:48 · Score: 2

Someone rushes a product to market, with absolutely zero thought about security.
This sounds like some pretty epic incompetence (or laziness).
That they then roll this out to 9 million students is pretty sad.

--
Lost at C:>. Found at C.
1. Re:And, once again ... by TWX · 2014-09-04 08:14 · Score: 2
  
  At least it's not a Github project depedent on both Ruby and its package management system, node.js and its package management system, MySQL for at least one of those two, plus several third-party repositories and then its own DB requiring PostgreSQL...
  
  --
  Do not look into laser with remaining eye.
2. Re:And, once again ... by fropenn · 2014-09-04 08:45 · Score: 1
  
  It's not a problem. It's a feature.
3. Re:And, once again ... by i+kan+reed · 2014-09-04 08:49 · Score: 1
  
  I think there's a difference between "zero thought about security" and "not meeting the level of constant vigilance that genuinely safe code requires".
  I mean they clearly built a full on authentication system for the front-end. And I doubt that makes the casual mistakes that tend to do those in: not hashing passwords, not using HTTPS for login, SQL injection.
  But I don't know. I don't have their code and 2 weeks to figure it out.
4. Re:And, once again ... by tlhIngan · 2014-09-04 09:28 · Score: 1
  
  Someone rushes a product to market, with absolutely zero thought about security.
  Geez, haven't you heard? Online education and MOOCs are the Next Big Thing! If you aren't first to the market, you're beat!
  When time-to-market is the most important factor, expect shortcuts to be taken.
5. Re:And, once again ... by Anonymous Coward · 2014-09-04 11:41 · Score: 0
  
  And a GUI interface using Visual Basic!
6. Re:And, once again ... by Anonymous Coward · 2014-09-04 14:39 · Score: 0
  
  Heads will roll.
My personal data was leaked by Coursera by aBaldrich · 2014-09-04 07:48 · Score: 3, Interesting

Back on Jul 17 an email arrived to my gmail inbox. Subject: "Earn an LL.M. in the United States in Less Than A Year". Sent by UF Levin College of Law, they spammed me and lots of courserans about a program "designed exclusively for graduates of law schools outside of the United States and from the U.S. Commonwealth of Puerto Rico who want to enhance their understanding of the laws and legal language and culture of the United States of America."
The distribution list did not ask for permission or confirmation. The design errors didn't stay there: anyone could reply to the list and have the messages forwarded. In less then two hours, 47 angry students from around the world complained and asked each other to send an email to Coursera. Which I did. I only got an automated reply, and never heard back from them.
from: Jesse *, Jr.
reply-to: "Jesse *, Jr."
to:COURSERALAW-L@lists.ufl.edu
date: 17 July 2014 15:20

--
In soviet russia the government regulates the companies.
1. Re:My personal data was leaked by Coursera by Anonymous Coward · 2014-09-04 08:27 · Score: 0
  
  No. Your personal data was most likely SOLD by Coursera.
Re:Coursera is a luminois toad by i+kan+reed · 2014-09-04 07:49 · Score: 1

As an imperialistic pimp, I've got to point out that it's a bit of a social necessity to create a cultural standard by means of universal education, and tools to that regard are useful for everyone.
Not just for the whole shared-experience-helps-maintain-national-culture part, but also the people-who-can't-read-are-useless part.
So use a unique online student email. by wherrera · 2014-09-04 08:02 · Score: 2

I think most students who are savvy enough to use Coursera ought to be able to create a student-only email account for the purpose.
1. Re:So use a unique online student email. by Anonymous Coward · 2014-09-04 08:10 · Score: 0
  
  At my former university, you get one account, that is your login to google mail, other services, and now Coursera.
2. Re:So use a unique online student email. by Anonymous Coward · 2014-09-04 08:14 · Score: 1
  
  What a stupid statement. People have an expectation of security. This is like blaming consumers for not knowing they shod have had a throwaway card to buy stuff at Target after their massive data breach. If you're going to store or process others' personal information it's your responsibility entirely to secure it.
3. Re:So use a unique online student email. by Anonymous Coward · 2014-09-04 08:22 · Score: 0
  
  I think what the GP meant was that when you sign up for Coursera, you create an email account somewhere like 'coursera_pimps@gmail.com' and use that for them.
  It is getting harder though since more and more of the "free" email companies are demanding cell phone numbers and other things to "verify" the account.
  Thanks spammers!
4. Re:So use a unique online student email. by Anonymous Coward · 2014-09-04 08:31 · Score: 0
  
  What? A university that uses Google for student mail? Please tell me which one. Fucking ridiculous.
5. Re:So use a unique online student email. by Anonymous Coward · 2014-09-04 08:33 · Score: 0
  
  Thanks spammers!
  You should be thanking the assholes who actually make these stupid decisions to begin with, not the people they blame for their own actions.
6. Re:So use a unique online student email. by Anonymous Coward · 2014-09-04 08:53 · Score: 0
  
  My university is on this list
  Google's Apps for Education "Customer Stories"
  61, and now 66 of the "top 100 schools" use it.
As someone who works with educational data by Anonymous Coward · 2014-09-04 08:12 · Score: 2, Interesting

As someone who works with educational data in higher education, I am completely unsurprised. Coming from an IT background, almost no one in education cares about data security - and no one understands FERPA anyway - and it's a miracle this hasn't happened more.
There's a lot more data out there than there used to be, and very few (if any) of the business software packages used in education seem to have the necessary granularity needed to give people access to only the data they need.
1. Re:As someone who works with educational data by mlts · 2014-09-04 08:46 · Score: 1
  
  Does FERPA have any teeth in it? I've yet to hear about it actually being enforced. Similar with HIPAA, I've read about a slap on the wrist here and there after some medical facility had all their info lost. Even PCI-DSS seems to be more lip service than anything else, mainly CYA if that.
  The only way we are going to see anything but miserable, failed excuses of security as SOP in the industry is if there are grave consequences for breaches, and not just XYZ company getting fined, declaring bankruptcy and reforming as ABC company (with all the assets owned by holding organizations), but actual "go to jail, do not pass go, do not collect $200" consequences on someone other than some low-level lackey who is still standing when the music stops.
2. Re:As someone who works with educational data by AthanasiusKircher · 2014-09-04 09:22 · Score: 1
  
  Does FERPA have any teeth in it? I've yet to hear about it actually being enforced.
  Well, per the Supreme Court decision Gonzaga University v. Doe , FERPA was ruled NOT to create an individual right for a student to sue over a privacy breach.
  Basically, under most circumstances, the main penalty that would be possible for FERPA violations would be removal of federal funding from a university. Most universities do instruct faculty on its requirements, and they may have internal disciplinary measures for faculty who violate it.
  From a practical standpoint, having worked at a couple different universities, I usually hear about FERPA actually being invoked when students or parents want access to educational records or want access to make a correction to an educational record, which it also requires. I've heard of students suing over various things, but not FERPA -- and usually if an instructor does something stupid like post a list of grades that a student complains about, someone just tells the instructor not to do that again, and most people just comply because violations are often out of ignorance.
3. Re:As someone who works with educational data by irq0 · 2014-09-05 05:49 · Score: 0
  
  no one understands FERPA anyway
  FERPA also leaves things open to interpretation. For example, Universities can share "directory information" and they get to define what that term means. Teachers should not have access to grading info ... unless they need it to do their job.
Can they gain access to my courses? by Walter+White · 2014-09-04 08:16 · Score: 1

Maybe someone will do my homework. ;)
1. Re:Can they gain access to my courses? by rastos1 · 2014-09-04 08:30 · Score: 1
  
  Actually I would like to go back to some courses offered by Robert Sedgewick, Princeton. Those are the only courses that got closed after end-date.
2. Re:Can they gain access to my courses? by Translation+Error · 2014-09-04 09:35 · Score: 1
  
  "I'm sorry, professor, but Coursera encrypted my homework."
  
  --
  When someone says, "Any fool can see ..." they're usually exactly right.
Only 1 week before revealing the problem? by Anonymous Coward · 2014-09-04 09:25 · Score: 0

Face it folks, allowing a site one week to address a security problem may not be enough time to properly address and fix the issue. How many vendors have taken months just to fix a security issue and not just apply a little bandage? That teacher should get his head out of his Ivory Tower and start dealing with these issues responsibly in the real world...
MOOCs are very important and revolutionary. by Anonymous Coward · 2014-09-04 09:50 · Score: 0

Look, I don't think you understand just how important Coursera and the other MOOCs are these days. Going to college is expensive, and it's a lot of work. Many first-worlders can't afford it, and only the very richest second- and third-worlders can. But Coursera and MOOCs give all second- and third-worlders a way to beg for a useless certification, without actually doing any real work, just like first-world students can.
Before Coursera and MOOCs existed, students would have to pay thousands upon thousands of dollars to attend a college, and only then could they cry to the professor that the assignments were too hard, that the exam was too long, that they didn't have time to study because of a "religious holiday", and that they deserve special treatment because of their "learning difficulties".
Coursera and MOOCs get rid of the financial obstacles that hinder the education of so many second- and third-worlders. Now with just a computer and rudimentary English skills, they can join 15 courses at a time, do absolutely no work or studying for any of them, cry and whine in a few forum posts, and then still get a nice fancy PDF of a pity certificate out of it. MOOCs have brought the higher learning experience to almost everyone on Earth!
Coursera by Anonymous Coward · 2014-09-04 18:20 · Score: 1

Maybe they learn something this time.