Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses

An anonymous reader writes Coursera, the online education platform with over 9 million students, appears to have some serious privacy shortcomings. According to one of Stanford's instructors, 'any teacher can dump the entire user database, including over nine million names and email addresses.' Also, 'if you are logged into your Coursera account, any website that you visit can list your course enrollments.' The attack even has a working proof of concept [note: requires Coursera account]. A week after the problems were reported, Coursera still hasn't fixed them.

Re:

[i kan reed]

As an imperialistic pimp, I've got to point out that it's a bit of a social necessity to create a cultural standard by means of universal education, and tools to that regard are useful for everyone.

Not just for the whole shared-experience-helps-maintain-national-culture part, but also the people-who-can't-read-are-useless part.

And, once again ...

[gstoddart]

Someone rushes a product to market, with absolutely zero thought about security.

This sounds like some pretty epic incompetence (or laziness).

That they then roll this out to 9 million students is pretty sad.

Re:

[TWX]

At least it's not a Github project depedent on both Ruby and its package management system, node.js and its package management system, MySQL for at least one of those two, plus several third-party repositories and then its own DB requiring PostgreSQL...

Re:

[fropenn]

It's not a problem. It's a feature.

Re:

[i kan reed]

I think there's a difference between "zero thought about security" and "not meeting the level of constant vigilance that genuinely safe code requires".

I mean they clearly built a full on authentication system for the front-end. And I doubt that makes the casual mistakes that tend to do those in: not hashing passwords, not using HTTPS for login, SQL injection.

But I don't know. I don't have their code and 2 weeks to figure it out.

Re:

[tlhIngan]

Someone rushes a product to market, with absolutely zero thought about security.

Geez, haven't you heard? Online education and MOOCs are the Next Big Thing! If you aren't first to the market, you're beat!

When time-to-market is the most important factor, expect shortcuts to be taken.

My personal data was leaked by Coursera

[aBaldrich]

Back on Jul 17 an email arrived to my gmail inbox. Subject: "Earn an LL.M. in the United States in Less Than A Year". Sent by UF Levin College of Law, they spammed me and lots of courserans about a program "designed exclusively for graduates of law schools outside of the United States and from the U.S. Commonwealth of Puerto Rico who want to enhance their understanding of the laws and legal language and culture of the United States of America."
The distribution list did not ask for permission or confirmation. The design errors didn't stay there: anyone could reply to the list and have the messages forwarded. In less then two hours, 47 angry students from around the world complained and asked each other to send an email to Coursera. Which I did. I only got an automated reply, and never heard back from them.

from: Jesse *, Jr.
reply-to: "Jesse *, Jr."
to:COURSERALAW-L@lists.ufl.edu
date: 17 July 2014 15:20

So use a unique online student email.

[wherrera]

I think most students who are savvy enough to use Coursera ought to be able to create a student-only email account for the purpose.

Re:

[Anonymous Coward]

What a stupid statement. People have an expectation of security. This is like blaming consumers for not knowing they shod have had a throwaway card to buy stuff at Target after their massive data breach. If you're going to store or process others' personal information it's your responsibility entirely to secure it.

As someone who works with educational data

[Anonymous Coward]

As someone who works with educational data in higher education, I am completely unsurprised. Coming from an IT background, almost no one in education cares about data security - and no one understands FERPA anyway - and it's a miracle this hasn't happened more.

There's a lot more data out there than there used to be, and very few (if any) of the business software packages used in education seem to have the necessary granularity needed to give people access to only the data they need.

Re:

[mlts]

Does FERPA have any teeth in it? I've yet to hear about it actually being enforced. Similar with HIPAA, I've read about a slap on the wrist here and there after some medical facility had all their info lost. Even PCI-DSS seems to be more lip service than anything else, mainly CYA if that.

The only way we are going to see anything but miserable, failed excuses of security as SOP in the industry is if there are grave consequences for breaches, and not just XYZ company getting fined, declaring bankruptcy and

Re:

[AthanasiusKircher]

Does FERPA have any teeth in it? I've yet to hear about it actually being enforced.

Well, per the Supreme Court decision Gonzaga University v. Doe [wikipedia.org], FERPA was ruled NOT to create an individual right for a student to sue over a privacy breach.

Basically, under most circumstances, the main penalty that would be possible for FERPA violations would be removal of federal funding from a university. Most universities do instruct faculty on its requirements, and they may have internal disciplinary measures for faculty who violate it.

From a practical standpoint, having worked at a couple diffe

Can they gain access to my courses?

[Walter White]

Maybe someone will do my homework. ;)

Re:

[rastos1]

Actually I would like to go back to some courses offered by Robert Sedgewick, Princeton. Those are the only courses that got closed after end-date.

Re:

[Translation Error]

"I'm sorry, professor, but Coursera encrypted my homework."

Coursera

[Anonymous Coward]

Maybe they learn something this time.