While preparing to teach Stanford Law’s first Coursera
class, the instructor stumbled across a potential breach that could have
knocked Apple’s issues with a hack of iCloud security and compromising photos
of entertainers out of the headlines. Jonathan Mayer, a computer scientist and
lawyer, while setting up his massive open online course, was able to gain
access to nine million Coursera names and email addresses.
In a blog post,
Mayer wrote that:
- Any teacher can dump the entire user database, including over nine million names and email addresses.
- Once logged into your Coursera account, any website that you visit can list your course enrollments.
- Coursera’s privacy-protecting user IDs don’t protect much.
Mayer alerted Coursera, which addressed the issues
immediately and sent an apology to its users.
Once the patches were completed, Mayer found plenty of improvements, but
problems still exist.
“The bad news is that anyone with teacher access can
still look up any individual student’s contact information, so long as he or
she either knows the student’s internal ID (it’s embedded in many pages) or can
guess a distinctive part of the student’s email address (maybe try first
initial last name?),” he said. “That’s a questionable security model, and it’s
potentially inconsistent with Coursera’s privacy policy.”
