Student claims code flaw spotting got him expelled from college
A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using.
Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their records when they found a hole in Omnivox software the college used. The hole allowed free access to personal information the college held on students, such as social insurance number, home address and phone number and class schedules
Al-Khabaz reported the problem to his college professor and said he and his friend were initially congratulated and were told the problem would be fixed by the college and the software’s developers Skytech.
Later he ran a scan using commercial Acunetix vulnerability scanning software to check on progress and within minutes the phone at his parent’s home started to ring he said. On the other end was Edouard Taza, the president of Skytech.
“He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed,” the student said.
“He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement.”
Taza said that he did mention the legal and police situation to Al-Khabaz but has denied making any threats. The security hole in question was being fixed he said, and the firm is confident no-one’s privacy has been breached, but he was concerned at the scanning software used.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake,” he said.
Unfortunately for Al-Khabaz Dawson College didn’t feel that way, and began an investigation for a for a “serious professional conduct issue.” Al-Khabaz was called in for a meeting to discuss his future, which he said seemed to focus mainly around who knew about the problem with the college’s code.
After the meeting a vote was taken among staff and his expulsion was confirmed by a vote of 14 to one. Al-Khabaz has appealed to the heads of the college but was turned down and is now in a difficult situation.
“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct,” he said. “I really want this degree, and now I won’t be able to get it. My academic career is completely ruined.”
But Dawson College has disputed his claims and says it stands by its decision. It says Al-Khabaz was formally warned to not repeat activities that he was being investigated for and was expelled for breaching those terms.
“When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student,” said the educational institution in a statement.
A spokeswoman told El Reg that AL-Khabaz was praised for his resourcefulness in the initial report to his tutors, but a month later repeated unauthorized access to the software, which is run by a third-party supplier and “injected SQL code,” according to his expulsion letter.
Skytech are so-far unavailable for comment about the precise nature of this SQL injection, but it’s clear this case is going to take some time to sort out and we expect writs to start flying shortly. ®