August 23, 2014

College student reports software vulnerability in school’s web service and then gets expelled

omnivox(LiveHacking.Com) –  A talented computer science major has been expelled from Dawson College in Montreal, Canada because he ran a test to check on the status of a security vulnerability which he had previously found and reported.

While developing a mobile app using Skytech’s Omnivox Web software, Hamed Al-Khabaz, along with fellow student Ovidiu Mija, discovered some “sloppy coding” that, if exploited, could disclose the personal information of thousands of students. The pair immediately notified the school’s technical staff and were told that  Skytech be notified. The two students were initial praised by Skytech, “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”

And this is how it should be, a flaw is discovered, it is reported, it is fixed and the people who find it are acknowledged for their efforts and for fully disclosing the error rather than using the information for some illegal activity.

However what happened next is bizarre. To verify that the flaw had been fixed, Hamed used Acunetix’s Web Vulnerability Scanner on the school’s web site. The use of the tool was detected by Skytech quickly and the President of Sytech called the student at his home and threatened him.

Skytech’s president Edouard Taza is reported to have told Hamend that his actions were considered as a cyber attack that he could go to jail. Hamed was then forced to sign a non-disclosure agreement. More bizarre than Sytech’s reaction was the reaction of the college which decided to expel the student. Al-Khabaz appealed but even the school’s academics dean and director general rejected his pleas.

The twist now means that the high-achieving computer science student, who acted in completely openly and with ethical reasons, has now been branded a criminal. If I buy a lock for my front door will I be arrested if I try to open it and see how strong it is?

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” he told the National Post. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

It is reported that Skytech has offered Al-Khabaz a scholarship to finish his degree at another school however this information can’t be verified as both the Skytech and Dawson College websites are down.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks