Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses

Posted by timothy on from the don't-I-know-you-from-the-semiotics-class? dept.

An anonymous reader writes Coursera, the online education platform with over 9 million students, appears to have some serious privacy shortcomings. According to one of Stanford's instructors, 'any teacher can dump the entire user database, including over nine million names and email addresses.' Also, 'if you are logged into your Coursera account, any website that you visit can list your course enrollments.' The attack even has a working proof of concept [note: requires Coursera account]. A week after the problems were reported, Coursera still hasn't fixed them.

2 of 31 comments (clear)

  1. My personal data was leaked by Coursera by aBaldrich · · Score: 3, Interesting
    Back on Jul 17 an email arrived to my gmail inbox. Subject: "Earn an LL.M. in the United States in Less Than A Year". Sent by UF Levin College of Law, they spammed me and lots of courserans about a program "designed exclusively for graduates of law schools outside of the United States and from the U.S. Commonwealth of Puerto Rico who want to enhance their understanding of the laws and legal language and culture of the United States of America."
    The distribution list did not ask for permission or confirmation. The design errors didn't stay there: anyone could reply to the list and have the messages forwarded. In less then two hours, 47 angry students from around the world complained and asked each other to send an email to Coursera. Which I did. I only got an automated reply, and never heard back from them.

    from: Jesse *, Jr.
    reply-to: "Jesse *, Jr."
    to:COURSERALAW-L@lists.ufl.edu
    date: 17 July 2014 15:20

    --
    In soviet russia the government regulates the companies.
  2. As someone who works with educational data by Anonymous Coward · · Score: 2, Interesting

    As someone who works with educational data in higher education, I am completely unsurprised. Coming from an IT background, almost no one in education cares about data security - and no one understands FERPA anyway - and it's a miracle this hasn't happened more.

    There's a lot more data out there than there used to be, and very few (if any) of the business software packages used in education seem to have the necessary granularity needed to give people access to only the data they need.