Aaron Fisher, a senior in the Goizueta Business School, created a free application for Emory students. The app extends to students at the University of Pennsylvania’s Wharton School, Washington University in St. Louis, the University of Maryland and IDC Herzliya in Israel.
CourseGem is an application that unifies several Emory platforms – Blackboard, OPUS and Emory email, among others – through a single login page. It also provides students with links to school calendars and upcoming events.
At first glance, it seems as if there could be security concerns. Having an application that saves your password, with access to personal information such as your social security number and financial information, seems disconcerting. Those concerned should note that all of the information CourseGem stores is saved locally on the browser, rather than on an external server, making CourseGem a convenient option for students who are tired of flipping through multiple tabs on their browsers and logging into multiple sites.
We at the Wheel find this app necessary in light of the void for connectedness following the slow and tragic death of LearnLink (may it rest in peace). CourseGem is easy for students to access and it is user-friendly, while directly centralizing all different websites students have viewed on a daily basis. Combined with the debut of the Emory Bubble, CourseGem’s arrival shows that Emory students are making innovative efforts to unify the University’s diverse online platforms and ease communication. The digital age has opened us up to many technological advances, and we at the Wheel find this an exceptional privilege that can be truly advantageous for students.
The above staff editorial represents the majority opinion of the Wheel’s editorial board
The Emory Wheel was founded in 1919 and is currently the only independent, student-run newspaper of Emory University. The Wheel publishes weekly on Wednesdays during the academic year, except during University holidays and scheduled publication intermissions.
The Wheel is financially and editorially independent from the University. All of its content is generated by the Wheel’s more than 100 student staff members and contributing writers, and its printing costs are covered by profits from self-generated advertising sales.
CourseGem is a good idea but as of a week ago it was still storing passwords in plain text instead of encrypting them. The fact that they are stored locally instead of on a server is actually WORSE because your password is exposed to every website you visit.
Any website you visit can read this password if it wants to. The same applies (potentially) to any ads on any website you visit. The same for any pop-up or pop-under windows that show up on your computer. Any application, utility, game, plug-in, Chrome App, Firefox extension, or search bar you install can read this password. And if you’re ever infected by a virus or spyware, you can just consider your password exposed. In general terms there is also no guarantee that your password isn’t being sent to the person who writes the software, though in this case as an Emory student, we all have reason to hope that this is not the case.
I’ve seen CourseGem and it’s a great concept. But it’s built on an unsafe practice that is easy to fix. Until proper password protection is in place, using CourseGem is an unnecessary risk to your information and personal privacy. Whether you think that risk is small or not, let’s encourage the author to take one more step in developing this app in order to make it safe for everyone. Encrypt the passwords!
Hello Brett,
I would like to elaborate upon the concerns which you have raised.
As of September 22, 2013, CourseGem started encrypting passwords, but this in large part to mitigate security concerns which I believe to primarily stem from a lack of understanding, and I will elaborate on these points.
The local storage in the browser which is allocated to extensions is not accessible to any website or extension which CourseGem does not explicitly target. No “application, utility, game, plug-in, Chrome App, Firefox extension, or search bar” can access this data. If a malicious application is installed on your system, and your browser is compromised, then your personal data can be extracted with or without CourseGem.
In regard to data transfer transparency, all of CourseGem’s code is out in the open (it’s sitting in your browser), so any curious individual can take a look and see what’s going on under the hood. CourseGem has been rated among the top 100 Chrome extensions (out of 50,000+), and has near perfect reviews, so I think the user community’s publicly available feedback should be taken into consideration when weighing trust considerations.
I will now discuss the main security issue that most people do not understand. LastPass, and other password managers, have gotten great reviews and have been advocated as positive safety mechanisms. The encryption methods they employ render any data theft on their servers quite useless. But what about client-side encryption and decryption? There is one client-side attack vector which cannot be avoided. Whenever data is entered into a login form, login information will have to be decrypted. So anyone with access to your browser doesn’t even have to bother decrypting the data (which is quite easy when the decryption functions are sitting in your browser), they can just navigate to any website with which you use the password manager, set a breakpoint in the JavaScript before the form is submitted, and view your inputted ID and password in plain text. You can log out of password managers, just like you can log out of CourseGem, after which the data is either not able to be decrypted (e.g. LastPass), or deleted altogether (CourseGem).
Even more conveniently, if you store your passwords with Chrome (or Firefox’s) default password manager, you can actually just go into the browser settings and view the passwords in plain text.
The reason we don’t hear about attacks on this information in the news, while each week, some big company has their database compromised, is quite simple actually. Chrome is incredibly difficult to hack remotely, and without remote browser manipulation, someone would need physical access your computer to extract any data. If someone succeeded to administer either of these noted attacks, they could easily collect each of your keystrokes in real-time. It wouldn’t even matter if you didn’t store passwords at all. Additionally, an interested, malicious individual would have to hack each user separately! This reality should put the plain text issue into perspective, and that’s why Chrome, Firefox, LastPass, and others do not see this a serious concern.
If your computer is stolen, then CourseGem should be no more of a concern than any other password manager, and it will probably be the least of your worries. In this scenario, let’s hope you weren’t logged into your email account, and I won’t even go into what that could mean for you.
Aside for user preference, the main reason I decided not to store passwords in plain text is to make it a less convenient for your average Joe to see your password if he/she is using your computer. Just like other password managers, the data CourseGem stores in your browser can be decrypted easily by a knowledgeable person, since the decryption functions are a part of the extension. The encryption is a precaution against convenience, and it does not make browser data storage truly more secure.
I would argue that CourseGem is safer than browsers’ default password management tools, since extension storage location is a less likely place to look (and now the data is not stored in plain text), and that it is inherently safer than LassPass or other password managers because it does not even store your data on an external server. The best way to avoid online security issues is to not even store data online, which is the approach I have taken with CourseGem.
On top of all of that, CourseGem can even help you avoid phishing attempts, since the extension is not prone to any phishing method. If you find yourself at an Emory login prompt, and CourseGem did not log you in automatically, you can take a look to see if the URL is spoofed, when you might not have otherwise even thought twice. As universities are very prone to phishing attacks, I have been considering adding phishing detection into a future CourseGem update.
In summary, CourseGem is in the same boat as every other password manager when it comes to security. Your data is safe so long as someone malicious does not gain physical access to your computer, and even if that happens, all of your data could easily be taken anyway. CourseGem does not introduce new security concerns, and I do not believe anyone has any reason to worry.
I hope my explanation can shed some light on security concerns pertaining to CourseGem, and I welcome all feedback.
Sincerely,
Aaron Fisher
CourseGem developer & Emory student
aaron@coursegem.com
Aaron,
I commend your effort and traction thus far. It’s seems like a useful tool that will save time for its users. Do you have any further plans to encrypt passwords? In addition, it may make sense to support other browsers and mobile devices.
We experience these struggles first hand so if there is anything the Emory Bubble team can do to help advance CourseGem, I would be happy to meet. A single path of least resistance can compromise our entire community to someone with malicious intent. Protecting the personal information of our peers with proper authentication is especially important (Bubble never has access to passwords at all when someone logs in at http://www.emorybubble.com). As part of Bubble’s beta period, we’re executing required virus protection, intrusion detection, and data encryption processes according to industry standards. It may be helpful to clearly state what you have in place and what is in the pipeline. 🙂
Lastly, a big thank you for helping draw attention to an underlying issue and making the large array of Emory’s resources more accessible. I think we have a great entrepreneurial spirit at Emory and it’s wonderful that we’re all empowered to attempt solutions from all angles. We’re fortunate at Emory to have a large array of tools and resources.
Thank you Nir.
To further clarify though: CourseGem is not a web application, and it exists solely on your computer. There is no database to hack, CourseGem does not store or verify passwords online, and there is nothing to intrude upon. CouseGem is NOT subject to ANY of the following vulnerabilities: XSS attacks (no website), SQL injection (no database), phishing (strict URL processing), weak authentication issues (no authentication process), DDoS attacks (no server), etc. CourseGem is really just an automation tool, and the only real concern would be malicious, physical access to your computer. With physical access to your computer, if you are logged into CourseGem, your data can be decrypted and extracted, just as it can with the world’s most trusted password managers. There is no way around this when you deal with browser password management unless you want to require a password with each use/session.
This doesn’t seem to be something phasing people from using password managers, and the nature of this issue does not permit mass intrusion. If people haven’t been worrying over this issue until now, and there has never been a history of attacks (unlike database storage), I don’t think users have any reason for concern.
CourseGem will be available for Firefox and Safari at some point, and a mobile app of some sort will eventually arrive as well. CourseGem aims to make academic tools and resources more accessible to students everywhere, and much more lays in store ahead.