Wednesday, 23 January 2013
College Student Expelled for Uncovering Security Flaw
Ahmed Al-Khabaz came across a vulnerability that exposed students' Social Insurance Numbers, class schedules, home addresses and phone numbers. The National Post's Ethan Cox reports that Ahmed Al-Khabaz, a 20-year-old computer science student at Montreal's Dawson College, was expelled following his discovery of a security flaw that exposed more than 250,000 Quebec college students' personal information.
"Al-Khabaz ... was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as 'sloppy coding' in the widely used Omnivox software which would allow 'anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student,'" Cox writes.
"So Al-Khabaz took the issue to the school's Director of Information Services and Technology," writes Gizmodo's Kyle Wagner. "The meeting went well, and he was told that Skytech, that company that makes the software in question, would get right on it. After not hearing back for a few days, Al-Khabaz decided to check to see if the vulnerability had been patched, using a program called Acunetix. That was a mistake."
"Shortly after, he was contacted by the president of Skytech who accused him of launching a cyberattack against the company," writes Softpedia's Eduard Kovacs. "Skytech told the student that he could go to jail, unless he signed a non-disclosure agreement. The student agreed to sign the non-disclosure agreement, but his problems were far from being over."
"While Skytech saw the probe by Al-Khabaz as the mistake of an overeager student, Dawson College administrators decided to take disciplinary action," writes Ars Technica's Sean Gallagher. "After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school's Computer Science department. By a 14-to-1 vote, they moved to expel him."