Student expelled for helping find security flaws at university
Ahmed Al-Khabaz, who was studying computer science at the Dawson College, discovered that the student software managing their college accounts had a significant flaw that could allow any user to retrieve students' personal information, according to the National Post.
Al-Khabaz brought the issue up with the college, who thanked Al-Khabaz and colleague fellow student who discovered the flaw with him, and was told that the college would work with the creator of the software, Skytech, to ensure it was fixed. The software in question — Omnivox — is also in use at a number of other universities.
When Al-Khabaz tested the system two days later, he received a phone call from Skytech President Edouard Taza, who, according to Al-Khabaz's account of the incident, threatened to have him arrested unless he signed a non-disclosure agreement, which, in addition to preventing him from discussing the issue, also prevented him from disclosing that such an agreement even existed.
Al-Khabaz had used a toolkit called Acunetix to test whether the flaw still existed. It typically tests for common vulnerabilities, such as cross site scripting flaws or for where developer has failed to protect against SQL injection attacks. Many of the tests can simply be attempted manually, but probing web applications falls into a relatively grey area, legally and ethically.
Despite Al-Khabaz signing the non-disclosure agreement, the university moved to expel Al-Khabaz from the university and zeroed his grades, ruining his chances of applying at another university.
Al-Khabaz's appeals to the university have been denied.
Dawson Student Union has now set up a site petitioning the university to recognise that Al-Khabaz's intents were not malicious and to have his expulsion overturned. It has already received about 5,000 signatures, while Al-Khabaz has received seven job offers.
According to CBC News and the student union's petition website, Al-Khabaz has also received a scholarship and part-time job offer from Skytech itself.
At the time of writing, Skytech's website was unavailable.
The incident echoes that of Australian security researcher Patrick Webster, who, similar to Al-Khabaz, discovered a flaw in First State Super's site, informed them, but was later questioned by local police. The investigation was later dropped once the story hit the media, and the Privacy Commissioner's investigation, which found First State Super to be in breach of the Privacy Act, later noted that the NSW Police and First State Super had stopped pursuing Webster.
Such incidents have led well-intending researchers to either not report vulnerabilities as they find them, or take pre-emptive action to obtain a lawyer before informing the vulnerable organisation.