Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses

Posted by timothy on from the don't-I-know-you-from-the-semiotics-class? dept.

An anonymous reader writes Coursera, the online education platform with over 9 million students, appears to have some serious privacy shortcomings. According to one of Stanford's instructors, 'any teacher can dump the entire user database, including over nine million names and email addresses.' Also, 'if you are logged into your Coursera account, any website that you visit can list your course enrollments.' The attack even has a working proof of concept [note: requires Coursera account]. A week after the problems were reported, Coursera still hasn't fixed them.

5 of 31 comments (clear)

  1. And, once again ... by gstoddart · · Score: 2

    Someone rushes a product to market, with absolutely zero thought about security.

    This sounds like some pretty epic incompetence (or laziness).

    That they then roll this out to 9 million students is pretty sad.

    --
    Lost at C:>. Found at C.
    1. Re:And, once again ... by TWX · · Score: 2

      At least it's not a Github project depedent on both Ruby and its package management system, node.js and its package management system, MySQL for at least one of those two, plus several third-party repositories and then its own DB requiring PostgreSQL...

      --
      Do not look into laser with remaining eye.
  2. My personal data was leaked by Coursera by aBaldrich · · Score: 3, Interesting
    Back on Jul 17 an email arrived to my gmail inbox. Subject: "Earn an LL.M. in the United States in Less Than A Year". Sent by UF Levin College of Law, they spammed me and lots of courserans about a program "designed exclusively for graduates of law schools outside of the United States and from the U.S. Commonwealth of Puerto Rico who want to enhance their understanding of the laws and legal language and culture of the United States of America."
    The distribution list did not ask for permission or confirmation. The design errors didn't stay there: anyone could reply to the list and have the messages forwarded. In less then two hours, 47 angry students from around the world complained and asked each other to send an email to Coursera. Which I did. I only got an automated reply, and never heard back from them.

    from: Jesse *, Jr.
    reply-to: "Jesse *, Jr."
    to:COURSERALAW-L@lists.ufl.edu
    date: 17 July 2014 15:20

    --
    In soviet russia the government regulates the companies.
  3. So use a unique online student email. by wherrera · · Score: 2

    I think most students who are savvy enough to use Coursera ought to be able to create a student-only email account for the purpose.

  4. As someone who works with educational data by Anonymous Coward · · Score: 2, Interesting

    As someone who works with educational data in higher education, I am completely unsurprised. Coming from an IT background, almost no one in education cares about data security - and no one understands FERPA anyway - and it's a miracle this hasn't happened more.

    There's a lot more data out there than there used to be, and very few (if any) of the business software packages used in education seem to have the necessary granularity needed to give people access to only the data they need.