College Student Expelled for Uncovering Security Flaw
Ahmed Al-Khabaz came across a vulnerability that exposed students' Social Insurance Numbers, class schedules, home addresses and phone numbers.
The National Post's Ethan Cox reports that Ahmed Al-Khabaz, a 20-year-old computer science student at Montreal's Dawson College, was expelled following his discovery of a security flaw that exposed more than 250,000 Quebec college students' personal information.
"Al-Khabaz ... was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as 'sloppy coding' in the widely used Omnivox software which would allow 'anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student,'" Cox writes.
"So Al-Khabaz took the issue to the school's Director of Information Services and Technology," writes Gizmodo's Kyle Wagner. "The meeting went well, and he was told that Skytech, that company that makes the software in question, would get right on it. After not hearing back for a few days, Al-Khabaz decided to check to see if the vulnerability had been patched, using a program called Acunetix. That was a mistake."
"Shortly after, he was contacted by the president of Skytech who accused him of launching a cyberattack against the company," writes Softpedia's Eduard Kovacs. "Skytech told the student that he could go to jail, unless he signed a non-disclosure agreement. The student agreed to sign the non-disclosure agreement, but his problems were far from being over."
"While Skytech saw the probe by Al-Khabaz as the mistake of an overeager student, Dawson College administrators decided to take disciplinary action," writes Ars Technica's Sean Gallagher. "After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school's Computer Science department. By a 14-to-1 vote, they moved to expel him."
"Makes sense," writes Geekosystem's Glen Tickle. "A student points out a security flaw that could have ruined the lives of his fellow students, why wouldn’t you ruin his? Stay classy, Dawson College."
In a statement posted on Facebook, the college responded, "There are two sides to every story. The reasons in the National Post about why the student was expelled are not accurate. But we can see why people would think there had been unfair treatment based on the article. The College stands by its decision, but we are sorry it is causing so much misinformation."
Still, it's not all bad news for Al-Khabaz. "On Monday afternoon, a Skytech employee confirmed media reports that the IT company has offered the 20-year-old a part-time job and a scholarship to finish his studies at another school," write The Montreal Gazette's Christopher Curtis and Jan Ravensbergen.