A computer science student at Montreal’s Dawson College managed to identify a security flaw in the computer system used by numerous colleges in Quebec. The flaw compromised the security of 250,000 students’ personal information, but instead of getting a pat on the back, the student was expelled from the school.
20-year-old Ahmed Al-Khabaz was working on a mobile app to allow students easier access to their college account, but in the process he and a colleague discovered what they describe as “sloppy coding” which would allow easy access to personal information listed on the system. Al-Khabaz said the flaw would make it possible for anyone with basic knowledge of computers to gain access to social insurance numbers, phone numbers, home addresses and even class schedules.
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”
The college tech director praised Al-Khabaz and his colleague Ovidiu Mija for their work and promised that he would work with Skytech, the makers of the system, to address the flaws. However, two days later Al-Khabaz ran another security check to make sure the problems were corrected and a few minutes later he got a call from Edouard Teza, the president of Skytech.
Teza told Al-Khabaz that what he was doing was tantamount to a cyber attack and then went on to threaten him with criminal charges and arrest.
“I apologised, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement,” said Al-Khabaz.
In the end, Al-Khabaz was expelled and the NDA prevents him from discussing confidential information he found on Skytech servers, or any information relating to Skytech, under pain of further legal consequences.
Taza told the National Post that he did contact Al-Khabaz and that he “mentioned” police and legal consequences, but did not make any threats, as if “mentioning” legal action and involving the police is not a threat.