Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service
A number of security vulnerabilities have been found and disclosed in the Coursera online learning platform. Csaba Krasznay summarizes the key learning points of the story.
The emergence of COVID-19 required immediate action in several areas. The primary objective of the measures carried out immediately at the start of the emergency was to protect the health of the public and to avoid harm, though their secondary effects could not necessarily be predicted. To create the conditions for distance learning and to develop remote working capabilities necessary to maintain the function of the economy, enormous modifications had to be made in a short timespan to existing IT systems, while the introduction of new software was also needed. At the same time, there was also a significant increase in the risk from several cybersecurity issues affecting both systems and users during this period.
Based on the experience of digital education, a selected platform should have the following features:
At Coursera, one of the largest distance learning platforms worldwide, we witnessed a failure of the latter point due to some bad APIs . According to the report released in July 2021, Checkmarx Security Research Team (https://www.checkmarx.com/blog/technical-blog/api-crash-course-broken-object-level-authorization-found-in-coursera/) made a detailed analysis on the APIs inside Coursera’s Vulnerability Disclosure Program and discovered multiple API issues, including “user/account enumeration via the reset password feature, lack of resources limiting on both a GraphQL and REST API, and a GraphQL misconfiguration.” Moreover, they even found Broken Object Level Authorization (BOLA), which is listed at the top of OWASP’s Top 10 API security issues (https://owasp.org/www-project-api-security/). Throughout this vulnerability, the researchers were able to retrieve and modify the user preferences. Coursera cooperated with Checkmarx and fixed the vulnerabilities before the public announcement.
Coursera is another case that reminds us of the importance of API security, and it makes sense to highlight here some lessons learned from this story.
First, personal data is everywhere. A modern digital service cannot operate without data. At first glance, this data might not be classic personal data like a name or address. However, we do construct user profiles from these data pieces, which means that they quickly become personal data, and are therefore in need of protection. Our advice is to keep your eyes on all your collected, transmitted, and even processed data to avoid any future problems.
Second, Coursera has a bug bounty program, something that is still rare among those providing digital services. At Balasys, we highly recommend starting a bug bounty program or joining an existing platform. Do not give cybercriminals the chance to find vulnerable APIs in your service and sell the stolen information on the Darknet. It is far safer if capable people are working in a regulated cybersecurity framework without the risk of carrying out questionable activities.
Third, Checkmarx has a great solution for secure application development. As their recommendation says, “Authorization issues are, unfortunately, quite common with APIs. It is very important to centralize access control validations in a single, well and continuously tested, and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements.” Our experience is the same. Without a central API security management solution, these interfaces can quickly become a high-risk vulnerability on your digital service’s surface. If you want to learn more about API security, please visit our solution page.
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
Szilárd Pfeiffer: API security: there is nothing new under the sun
With the incredible amount of data flowing through them, the security of APIs is becoming a growing concern in the IT industry. What are the best practices and proven solutions that organizations can follow in order to ensure the security of their APIs? There is really nothing new under the sun: APIs are secured by exactly the same precautions as anything else you publish on the internet.
Gábor Pék: Trusted Types: A world without XSS
XSS, or cross site scripting, is one of the most widespread security problems today, as confirmed by statistics from bug-hunting companies such as Hackerone. Although our defenses have been significantly strengthened in recent years, this attack vector is still with us. As we move away from server rendered pages towards SPAs (Single Page Applications), we are being forced to deal with a new type of XSS attack: the DOM XSS. Gábor shares the story of the creation of Trusted Types, a new browser-based protection mechanism, and his experience with implementing it into Avatao’s Angular code base. According to a study conducted by Google, the company "has zero DOM XSS among applications migrated to Trusted Types." A great result, to be sure! But is it worth the effort?
Csaba Krasznay: Wars and Cyber Warfare in the Age of APIs
A new chapter in the security of our world opened on 24 February 2022. The term ‘our world’ must also include cyberspace, as the Ukrainian-Russian war has openly demonstrated our dependence on information systems and the vulnerability of this ecosystem. Although the news of the war is still concerned with conventional armed clashes, more and more information is available concerning the activities and tools of the various state and non-state hacker groups. Companies can prepare for the re-emphasis on cyber operations as the battles in physical space subside, with the difference that perhaps less significance will be placed on financial gain and far more on destruction. Most of enterprise IT has already migrated to the cloud and solutions that exchange data through APIs, which have have become widespread. However, the rapid transition has focused on efficiency rather than cybersecurity. It is no coincidence that, according to Gartner, APIs are expected to be the most attacked interfaces in 2022.