A Canadian college student was expelled after reporting a vulnerability in the school’s Web site that potentially exposed private data on more than 250,000 students.
The high-achieving computer science major, Hamed Al-Khabaz and another student, Ovidiu Mija, in November were developing a mobile app using Omnivox Web portal software when they discovered “sloppy coding” that could lead to a major data breach. Ominvox is used at hundreds of Canadian campuses, including theirs at Montreal’s Dawson College.
Al-Khabaz, 20, said the two immediately notified staff at the school’s Directory of Information Services and Technology and were told the company behind the software would be notified. The software maker, Skytech Communications Inc., later lauded the duo for their discovery.
“All software companies, even Google or Microsoft, have bugs in their software,” said Skytech President Edouard Taza in a published report. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”
What landed the would-be bughunter in hot water was what he did a couple of days later, when he launched the Acutenix Web exploit testing kit to determine if the hole had been sealed. Skytech picked up the intrusion almost immediately, and Taza called the student at his home to let him know they considered his actions a cyber attack that could land him in jail. He then had the student sign a non-disclosure agreement preventing him from discussing what he had found on their servers.
College officials, however, believed Al-Khabaz had violated the school’s professional code of conduct when he launched the vulnerability scanning tool, and the computer science department faculty voted 14-1 to expel the student on Nov. 14. Al-Khabaz appealed to the school’s academics dean and director general, but both recently rejected his pleas.
“Well, if you look at the Criminal Code, it is clear that if someone is having access without authorization to any computer service, he is … guilty in a criminal act,” Dawson director general Richard Filion told the CBC.
The student sees it differently.
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” he told the National Post. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”
The expulsion has mobilized members of the school’s 10,500-strong student union, who are demanding Al-Khabaz be reinstated. “Hamed is a brilliant computer science student who simply wanted to help his school,” said Morgan Crockett, director of internal affairs and advocacy, in a statement. “Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology.”
Skytech’s Taza on Monday announced the company had offered Al-Khabaz a scholarship to finish his degree at another school and offered him a part-time job on its information security team.