College Student Expelled After Bringing Web Vulnerability to School’s Attention

A Canadian college student was expelled after reporting a vulnerability in the school’s Web site that potentially exposed private data on more than 250,000 students.The high-achieving computer science major, Hamed Al-Khabaz and another student, Ovidiu Mija, in November were developing a mobile app using Omnivox Web portal software when they discovered “sloppy coding” that could lead to a major data breach. Ominvox is used at hundreds of Canadian campuses, including theirs at Montreal’s Dawson College.

OmnivoxA Canadian college student was expelled after reporting a vulnerability in the school’s Web site that potentially exposed private data on more than 250,000 students.

The high-achieving computer science major, Hamed Al-Khabaz and another student, Ovidiu Mija, in November were developing a mobile app using Omnivox Web portal software when they discovered “sloppy coding” that could lead to a major data breach. Ominvox is used at hundreds of Canadian campuses, including theirs at Montreal’s Dawson College.

Al-Khabaz, 20, said the two immediately notified staff at the school’s Directory of Information Services and Technology and were told the company behind the software would be notified. The software maker, Skytech Communications Inc., later lauded the duo for their discovery.

“All software companies, even Google or Microsoft, have bugs in their software,” said Skytech President Edouard Taza in a published report. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”

What landed the would-be bughunter in hot water was what he did a couple of days later, when he launched the Acutenix Web exploit testing kit to determine if the hole had been sealed. Skytech picked up the intrusion almost immediately, and Taza called the student at his home to let him know they considered his actions a cyber attack that could land him in jail. He then had the student sign a non-disclosure agreement preventing him from discussing what he had found on their servers.

College officials, however, believed Al-Khabaz had violated the school’s professional code of conduct when he launched the vulnerability scanning tool, and the computer science department faculty voted 14-1 to expel the student on Nov. 14. Al-Khabaz appealed to the school’s academics dean and director general, but both recently rejected his pleas.

“Well, if you look at the Criminal Code, it is clear that if someone is having access without authorization to any computer service, he is … guilty in a criminal act,” Dawson director general Richard Filion told the CBC.

The student sees it differently.

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” he told the National Post. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

The expulsion has mobilized members of the school’s 10,500-strong student union, who are demanding Al-Khabaz be reinstated. “Hamed is a brilliant computer science student who simply wanted to help his school,” said Morgan Crockett, director of internal affairs and advocacy, in a statement. “Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology.”

Skytech’s Taza on Monday announced the company had offered Al-Khabaz a scholarship to finish his degree at another school and offered him a part-time job on its information security team.

Suggested articles

Bug Hunter Finds ‘Blended Threat’ Targeting Yahoo Web Site

A Romanian bug hunter has discovered a “blended threat” targeting Yahoo’s Developer Network Web site that allows unauthorized access to Yahoo users’ emails and private profile data.At a security conference Sunday, Sergiu Dragos Bogdan demonstrated an abbreviated version of an attack using the YQL console on developer.yahoo.com. Yahoo Query Language is the company’s proprietary programming language and used to test queries against Yahoo databases. Authenticated users also can access tables with their own Yahoo account data, such as e-mails and profile data, to mount queries.

Discussion

  • createcoms on

    It's all about the bruised male egos in the respective I.T departments.  I was expelled from a technical training college many, many years (2003 if I recall correctly) ago for showing the faculty that a simple skill-less arp poisoning attack could give me sensitive data and even passwords - this was after the I.T dept. said their network was "unhackable".  Next minute I'm expelled.

     

     

  • Dez on

    If the student had properly contact the people in charge when he found the vulnerability; wouldn't it have been prudent to contact the same people before running the vulnerability test?

    I don't think expulsion was the right decision, but the student didn't follow the right channels to verify the vulnerability was, in fact, fixed.

  • Anonymous on

    This is rediculous, what he did was unethical and illegal. Firstly, there's no way he had a license for acunetix. Secondly, if he discovered the exploit without acunetix, there is no need to use it to see if the hole still exists. He was clearly searching for new bugs. He deserved to be expelled, he risked downing a production system for the city's major college.
  • Anonymous on

    What appears to be a copy of a letter from Dawson College to Al-Khabaz was posted on the net, and in it, it states that Al-Khabaz was told the first time he injected SQL code to stop and not do it again and then was caught a second time (presumably with the scanning tool) injecting SQL into the application (causing a denial of service). After the second time, they kicked him out.  Can't say I blame them.

  • KG on

    Horrible disclosure policy. Maybe he should have thought twice and robbed the damn place blind. Morons.

     

    KG

     

  • Anonymous on

    Let no good deed go unpunished. This is exactly why there is a market in sell exploits.
  • AB on

    I think it's completely legitimate to check on whether the company did as they promised in fixing the bug.  The fact is, his own data was compromised, and I can very nearly guarantee you that had his information resulted in identity theft, the student would have had a very difficult time getting the software vendor, or the school, to compensate him for damages, hiding behind their UAL agreements and "terms of use" legal fundament. 

    The student acted with reasonable self-interest.  He knew he was one of the very few with the knowledge or skills to assess the ongoing vulnerability.  He was directly threatened by the nature of the vulnerability.  And, lastly, he was one of the few with a true vested interest in confirming that the vulnerability had been mitigated -- neither the school nor the software had anything to gain from its resolution unless there was a public exposure, and even that was nullified once he signed the NDA,  because it would have been impossible for him to report that both entities already knew of the security vulnerability prior to a release of student information. 

    The student never his identity.  He never went public or held a press conference or disseminated the information to hacker sites where it could have come into immediate use.  There is no evidence either of intent or of damage to either entity.   

    What's going on here is school management that knows virtually nothing about Information Security, but rather a lot about legal liability.  Guess which one they're going to go with.  People complain that Americans sue too much... well, this is what happens when the individual has no power and larger entities have all the power.  A suit wouldn't be entirely out of order here to force the school to redress this situation, and ensure it never happens again. 

  • Anonymouse on

    Seems to me he did nothing wrong. If the school cannot handle being pen tested by a friendly, then they will certainly not be able to withstand the daily bashing by unfriendly foes.

    Might as well put up a sign that says "please don't log into the system that has no passwords and a user name of admin because it is just wrong, thank you." and call it security.

    Sounds like another liberal brainwashing facility. 

  • Professor H on

    Hard knocks from which one actually recover are rare, but I suspect the student who got expelled will be the big winner in the long run.  The school suffers from typical American short-sightedness.  By 'American' I mean north-American.

  • Anonymous on

    Are you all honestly too fucking stupid to realize he could've done this legally by asking the company? You don't just start a web exploit framework on a server range for kicks and giggles.

  • Anonymous on

    The student in question may simply have not been aware he could have asked. Assuming he could have.  Thats not an assumption I would make.

    He certainly didn't set up his test as a joke.  On first look he simply wanted to be sure the "patch" had happened.  And apparently wasn't trying to to hide his activity (report noted he was called "at Home")

    Right off the bat this quote "criminal activity" unquote fails the test of determining a criminal act at several levels.

    Considering he's  recieved several real world job offers,  and an offer for by a company to pop for the rest of his schooling I'm pretty sure that young Mr. Hamed Al-Khabaz will gfet the last laugh out of this, and it'll be a while before the schools administration scrapes the egg off thier face.

    Cordially

    Vladimir, Oakland CA

  • Anonymous on

    When are these morons going to learn. Never, ever use SQL Server to store sensitive data.

    Remember:

    You can pay for it now (Oracle) or really pay for it later (SQL Server).

  • joannes on

    whether you are using sql or oracle you always be injected.

     

     

    because gurus they dont think like normal people do.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.