Security researchers from Checkmarx, an application security testing company, have published findings related to security vulnerabilities discovered in the popular Coursera learning Platform. The firm alleges that Coursera’s APIs include several issues related to user/account enumeration, lack of Resource limiting, and GraphQL misconfiguration.
Beyond these initial findings, Checkmarx also noted the discovery of Broken Object Level Authorization (BOLA) issues that were of particular concern. The BOLA issues could have allowed hackers to affect a users’ preferences, or even change them. Additionally, it was possible to affect user activity by changing recently viewed courses and certifications, which would change the courses recommended to users.
Checkmarx highlighted how common errors such as this are in the industry:
“Authorization issues are, unfortunately, quite common with APIs. It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements.”
The discovery of these issues dates back to October of 2020 and Checkmarx notes that Coursera was responsive in resolving these issues.