Researchers on Thursday disclosed that over the past year they found and later fixed a broken object level authorization (BOLA) vulnerability and many other API issues on the platform used by online course provider Coursera.
The BOLA vulnerability could have been abused by hackers to understand the course preferences of users, as well as to bias a user’s course choices, Checkmarx reserachers said in a blog post. By manipulating users' recent activity, they said, the content rendered on Coursera’s homepage for each user could then be impacted.
According to the researchers, Checkmarx sent Coursera’s security team a full report of its finding on Oct. 5, 2020, and after the Checkmarx and Coursera teams worked to resolve the issue, Coursera confirmed on May 24 of this year that all the issues were fixed.
A BOLA occurs when an application does not correctly confirm that the user performing the request has the required privileges to access a resource of another user. Just about every company has APIs that are potentially vulnerable to a BOLA.
While APIs have been around for years, the adoption of cloud and cloud services are leading drivers behind their explosive use, added Jason Kent, hacker in residence at Cequence Security. Kent said the BOLA mentioned by the Checkmarx researchers means that the threat actors could elevate their privileges to super admin and move laterally to access the other cloud services and associated data.
“The fact that it is in the cloud, as opposed to a data center, behind many layers of security, means those added services and data are slightly more accessible to threat actors,” Kent said. “This is yet another in a long line of API security incidents that could be avoided with secure API coding practices."
Adam Fisher, principal security engineer at Salt Security, said BOLAs are critical and also not very common because they require login details, credentials, and access to the user’s portal. Fisher said a BOLA puts a company at risk for losing a vast amount of sensitive customer data.
A BOLA stems from inadequate authorization measures, Fisher explained. With coding, Fisher said it’s important to have a central process for checking the authorization of users, which should become a “first-step” in an application’s architecture.
“Every single API call should be programmed to do this to confirm authorization of the end user as well,” Fisher said. “The first check needs to be done in code, while a necessary ‘second’ check should occur as a preemptive measure that prevents an attack from happening. In the Coursera example, there was no mechanism in place to verify user IDs, which would enable potential attackers to enumerate user authentication.”