Cyber security Researchers have discovered the risk of an API in Corsair that could be misused to read and manipulate a user’s recent activity.
Corsera is the most famous Online learning platform Around, claimed to be used by more than 82 million people globally.
However, with the analysis of security experts, Checkmarks discovered a number of API issues on CoreSra, including a broken Object Level Authority (BOLA) issue that has affected users’ preferences.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take you more than 60 seconds, and you can choose to enter the prize draw to win an Amazon 100 Amazon voucher or a 1-year Express VPN subscription.
This risk could be misused in order to gain a broader understanding of consumer course preferences in general, but also to some extent to bias consumer choices, because of manipulation of their recent activity. Content on the Koresara homepage for a specific user was affected. ” Has written Ariz Yalon, head of security research at Czech Marks.
Explaining the issue, Yalon writes that by presenting as regular users, checkmark researchers can successfully request different preferential data from other users by modifying the GET API requests.
He then improved his method to prove that even anonymous users would have no problem accessing the preferences of a registered user.
Critically, however, they run the risk of successfully editing any user’s preferences.
Noting that licensing issues with APIs are quite common, Yellon says API access control issues are the biggest security challenge.
“It is important to centralize access control validation in a single, well and consistently experienced and actively maintained component,” Ylon said. After the responsible disclosure, Koresra has resolved the issues.