Coursera, one of the most popular online education platforms with over 9 million students, suffers from numerous critical privacy issues that put its students’ information at risk.

According to Stanford computer science instructor Jonathan Mayer, any teacher can access and download the entire user database, including millions of names and email addresses. In a blog post Mayer also explained that “if you are logged into your Coursera account, any website that you visit can list your course enrollments.”

Mayer outlined and even provided a working proof of concept  for the attacks that remain effective today.

Any website could theoretically take advantage of a data leak in Coursera’s software to learn a student’s entire course enrollment. Mayer said Coursera has yet to respond to his report on the vulnerability, though he reported the problem last week. Coursera responded with several fixes but has yet to close the hole through which teachers can find out information about students that the pupils don’t realize they’re giving up.

To download Coursera’s user database, anyone with an instructor account can take advantage of the website’s liberal use of autocomplete, a feature meant to provide smart suggestions to users when filling in forms but, in this case, is “inadvertently sharing too much.”

“That’s a questionable security model,” he said, “and it’s potentially inconsistent with Coursera’s privacy policy.”

H/T Ashkan Soltani | Photo via flakeparadigm/Flickr (CC BY-SA 2.0)