Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses

timothy posted about a month and a half ago | from the don't-I-know-you-from-the-semiotics-class? dept.

Security 31

An anonymous reader writes Coursera, the online education platform with over 9 million students, appears to have some serious privacy shortcomings. According to one of Stanford's instructors, 'any teacher can dump the entire user database, including over nine million names and email addresses.' Also, 'if you are logged into your Coursera account, any website that you visit can list your course enrollments.' The attack even has a working proof of concept [note: requires Coursera account]. A week after the problems were reported, Coursera still hasn't fixed them.

cancel ×

31 comments

Sorry! There are no comments related to the filter you selected.

Coursera is a luminois toad (-1, Troll)

For a Free Internet (1594621) | about a month and a half ago | (#47829277)

It is a shitbox profit machine for shithead school administrator cop-fellators and imperialism pimps.

Re:Coursera is a luminois toad (1)

i kan reed (749298) | about a month and a half ago | (#47829363)

As an imperialistic pimp, I've got to point out that it's a bit of a social necessity to create a cultural standard by means of universal education, and tools to that regard are useful for everyone.

Not just for the whole shared-experience-helps-maintain-national-culture part, but also the people-who-can't-read-are-useless part.

And what does courshitta have to do with that? (1)

For a Free Internet (1594621) | about a month and a half ago | (#47829387)

The software is not for educating, it is for rationing and commodifying education in the service of profit. It is for denying education to unprofitable students and getting the most work out of minimum wage teacherbots.

Re:Coursera is a luminois toad (-1)

Anonymous Coward | about a month and a half ago | (#47829565)

A tool without values is oxygen without life.

MOOCs are very important and revolutionary. (0)

Anonymous Coward | about a month and a half ago | (#47830279)

Look, I don't think you understand just how important Coursera and the other MOOCs are these days. Going to college is expensive, and it's a lot of work. Many first-worlders can't afford it, and only the very richest second- and third-worlders can. But Coursera and MOOCs give all second- and third-worlders a way to beg for a useless certification, without actually doing any real work, just like first-world students can.

Before Coursera and MOOCs existed, students would have to pay thousands upon thousands of dollars to attend a college, and only then could they cry to the professor that the assignments were too hard, that the exam was too long, that they didn't have time to study because of a "religious holiday", and that they deserve special treatment because of their "learning difficulties".

Coursera and MOOCs get rid of the financial obstacles that hinder the education of so many second- and third-worlders. Now with just a computer and rudimentary English skills, they can join 15 courses at a time, do absolutely no work or studying for any of them, cry and whine in a few forum posts, and then still get a nice fancy PDF of a pity certificate out of it. MOOCs have brought the higher learning experience to almost everyone on Earth!

And, once again ... (2)

gstoddart (321705) | about a month and a half ago | (#47829349)

Someone rushes a product to market, with absolutely zero thought about security.

This sounds like some pretty epic incompetence (or laziness).

That they then roll this out to 9 million students is pretty sad.

Re:And, once again ... (2)

TWX (665546) | about a month and a half ago | (#47829547)

At least it's not a Github project depedent on both Ruby and its package management system, node.js and its package management system, MySQL for at least one of those two, plus several third-party repositories and then its own DB requiring PostgreSQL...

Re:And, once again ... (0)

Anonymous Coward | about a month and a half ago | (#47831001)

And a GUI interface using Visual Basic!

Re:And, once again ... (1)

fropenn (1116699) | about a month and a half ago | (#47829773)

It's not a problem. It's a feature.

Re:And, once again ... (1)

i kan reed (749298) | about a month and a half ago | (#47829799)

I think there's a difference between "zero thought about security" and "not meeting the level of constant vigilance that genuinely safe code requires".

I mean they clearly built a full on authentication system for the front-end. And I doubt that makes the casual mistakes that tend to do those in: not hashing passwords, not using HTTPS for login, SQL injection.

But I don't know. I don't have their code and 2 weeks to figure it out.

Re:And, once again ... (1)

tlhIngan (30335) | about a month and a half ago | (#47830079)

Someone rushes a product to market, with absolutely zero thought about security.

Geez, haven't you heard? Online education and MOOCs are the Next Big Thing! If you aren't first to the market, you're beat!

When time-to-market is the most important factor, expect shortcuts to be taken.

Re:And, once again ... (0)

Anonymous Coward | about a month and a half ago | (#47831893)

Heads will roll.

My personal data was leaked by Coursera (3, Interesting)

aBaldrich (1692238) | about a month and a half ago | (#47829353)

Back on Jul 17 an email arrived to my gmail inbox. Subject: "Earn an LL.M. in the United States in Less Than A Year". Sent by UF Levin College of Law, they spammed me and lots of courserans about a program "designed exclusively for graduates of law schools outside of the United States and from the U.S. Commonwealth of Puerto Rico who want to enhance their understanding of the laws and legal language and culture of the United States of America."
The distribution list did not ask for permission or confirmation. The design errors didn't stay there: anyone could reply to the list and have the messages forwarded. In less then two hours, 47 angry students from around the world complained and asked each other to send an email to Coursera. Which I did. I only got an automated reply, and never heard back from them.

from: Jesse *, Jr.
reply-to: "Jesse *, Jr."
to:COURSERALAW-L@lists.ufl.edu
date: 17 July 2014 15:20

Re:My personal data was leaked by Coursera (0)

Anonymous Coward | about a month and a half ago | (#47829655)

No. Your personal data was most likely SOLD by Coursera.

Re:My personal data was leaked by Coursera (-1)

Anonymous Coward | about a month and a half ago | (#47833045)

I used Paywings Payroll Software and was delighted to see it amazing interface, ease of use and installation.
You can download free payroll software [stplglobal.com] here.

So use a unique online student email. (2)

wherrera (235520) | about a month and a half ago | (#47829465)

I think most students who are savvy enough to use Coursera ought to be able to create a student-only email account for the purpose.

Re:So use a unique online student email. (0)

Anonymous Coward | about a month and a half ago | (#47829509)

At my former university, you get one account, that is your login to google mail, other services, and now Coursera.

Re:So use a unique online student email. (0)

Anonymous Coward | about a month and a half ago | (#47829607)

I think what the GP meant was that when you sign up for Coursera, you create an email account somewhere like 'coursera_pimps@gmail.com' and use that for them.

It is getting harder though since more and more of the "free" email companies are demanding cell phone numbers and other things to "verify" the account.

Thanks spammers!

Re:So use a unique online student email. (0)

Anonymous Coward | about a month and a half ago | (#47829713)

Thanks spammers!

You should be thanking the assholes who actually make these stupid decisions to begin with, not the people they blame for their own actions.

Re:So use a unique online student email. (0)

Anonymous Coward | about a month and a half ago | (#47829691)

What? A university that uses Google for student mail? Please tell me which one. Fucking ridiculous.

Re:So use a unique online student email. (1)

Anonymous Coward | about a month and a half ago | (#47829553)

What a stupid statement. People have an expectation of security. This is like blaming consumers for not knowing they shod have had a throwaway card to buy stuff at Target after their massive data breach. If you're going to store or process others' personal information it's your responsibility entirely to secure it.

As someone who works with educational data (2, Interesting)

Anonymous Coward | about a month and a half ago | (#47829535)

As someone who works with educational data in higher education, I am completely unsurprised. Coming from an IT background, almost no one in education cares about data security - and no one understands FERPA anyway - and it's a miracle this hasn't happened more.

There's a lot more data out there than there used to be, and very few (if any) of the business software packages used in education seem to have the necessary granularity needed to give people access to only the data they need.

Re:As someone who works with educational data (1)

mlts (1038732) | about a month and a half ago | (#47829779)

Does FERPA have any teeth in it? I've yet to hear about it actually being enforced. Similar with HIPAA, I've read about a slap on the wrist here and there after some medical facility had all their info lost. Even PCI-DSS seems to be more lip service than anything else, mainly CYA if that.

The only way we are going to see anything but miserable, failed excuses of security as SOP in the industry is if there are grave consequences for breaches, and not just XYZ company getting fined, declaring bankruptcy and reforming as ABC company (with all the assets owned by holding organizations), but actual "go to jail, do not pass go, do not collect $200" consequences on someone other than some low-level lackey who is still standing when the music stops.

Re:As someone who works with educational data (1)

AthanasiusKircher (1333179) | about a month and a half ago | (#47830021)

Does FERPA have any teeth in it? I've yet to hear about it actually being enforced.

Well, per the Supreme Court decision Gonzaga University v. Doe [wikipedia.org] , FERPA was ruled NOT to create an individual right for a student to sue over a privacy breach.

Basically, under most circumstances, the main penalty that would be possible for FERPA violations would be removal of federal funding from a university. Most universities do instruct faculty on its requirements, and they may have internal disciplinary measures for faculty who violate it.

From a practical standpoint, having worked at a couple different universities, I usually hear about FERPA actually being invoked when students or parents want access to educational records or want access to make a correction to an educational record, which it also requires. I've heard of students suing over various things, but not FERPA -- and usually if an instructor does something stupid like post a list of grades that a student complains about, someone just tells the instructor not to do that again, and most people just comply because violations are often out of ignorance.

Re:As someone who works with educational data (1)

irq0 (3780595) | about a month and a half ago | (#47836143)

no one understands FERPA anyway

FERPA also leaves things open to interpretation. For example, Universities can share "directory information" and they get to define what that term means. Teachers should not have access to grading info ... unless they need it to do their job.

Can they gain access to my courses? (1)

Walter White (1573805) | about a month and a half ago | (#47829577)

Maybe someone will do my homework. ;)

Re:Can they gain access to my courses? (1)

rastos1 (601318) | about a month and a half ago | (#47829687)

Actually I would like to go back to some courses offered by Robert Sedgewick, Princeton. Those are the only courses that got closed after end-date.

Re:Can they gain access to my courses? (1)

Translation Error (1176675) | about a month and a half ago | (#47830135)

"I'm sorry, professor, but Coursera encrypted my homework."

Only 1 week before revealing the problem? (0)

Anonymous Coward | about a month and a half ago | (#47830043)

Face it folks, allowing a site one week to address a security problem may not be enough time to properly address and fix the issue. How many vendors have taken months just to fix a security issue and not just apply a little bandage? That teacher should get his head out of his Ivory Tower and start dealing with these issues responsibly in the real world...

Coursera (1)

Anonymous Coward | about a month and a half ago | (#47832485)

Maybe they learn something this time.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?