When 20-year-old Ahmed Al-Khabaz, a computer science student at Montreal’s Dawson College, discovered a critical flaw in his college’s student web portal, he decided it was his “moral duty” to share the discovery with the institution’s leaders so that the bug can be fixed before doing serious harm.
But what he probably could not have imagined at the time is that this – for all intents and purposes – honorable decision will ultimately lead to his expulsion from college.
Al-Khabaz, who was also a member of the college’s software development club, and fellow student Ovidiu Mija were working on a mobile app that would facilitate the students’ access to their account on the portal in question, when they discovered that the web application’s “sloppy coding” allows anyone with a basic knowledge of computers to access all of the student’s accounts and the information contained in it: personal information (including Social Security numbers), grades, class schedule, and more.
They shared what they discovered with Fran?Â§ois Paradis, the college’s Director of Information Services and Technology, and he seemed satisfied with the discovery. He promised to talk to Skytech, the firm that created of the Omnivox portal and online services platform, and have them fix the flaw.
It could all have ended here, and Al-Khabaz would still be a student of the college, had he not decided to check whether the flaw was fixed and whether he could find other crucial vulnerabilities by pointing the Acunetix Web Vulnerability Scanner – a legitimate piece of penetration testing software that automates some of the most popular attack techniques against web applications – towards the Omnivox web portal.
A few minutes after initiating the “attack”, he received a phone call from Skytech President Edouard Taza, who told him to stop what he was doing.
“I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement,” Al-Khabaz shared with National Post.
As Taza tells it, they were happy that the students alerted them to the flaw, but they were definitely not happy with the subsequent testing.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake,” he said.
But unfortunately, that’s not how the college administrators saw this whole thing, and Al-Khabaz was officially expelled. He tried to appeal the decision, but had no luck – the academic dean and the director-general confirmed the expulsion.
Finding himself in an “academic limbo”, and fearing that he will not be able to continue his education in another college due to the official reason for his expulsion, Al-Khabaz went public in the hopes that when he does apply for a different college, this explanation will make the admission committee think twice about denying his application.
The college has yet to officially comment on any of this. In the meantime, the Dawson Student Union has sided with Al-Khabaz, and is trying to get the administration to overturn their decision.
It seems that Al-Khabaz’ main mistake was not reporting the flaw, but using Acunetix’ scanner against the portal without receiving permission first.
Many things are still unknown at this point. Has the flaw in question really been patched? How many educational institutions use Skytech’s Omnivox and how many students were in danger of having their information stolen? Will Al-Khabaz be prosecuted for any of this? We’ll have to wait and see.