Feeds

Student claims code flaw spotting got him expelled from college

Canadian college denies overreacting

Protecting against web application threats using SSL

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using.

Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their records when they found a hole in Omnivox software the college used. The hole allowed free access to personal information the college held on students, such as social insurance number, home address and phone number and class schedules

Al-Khabaz reported the problem to his college professor and said he and his friend were initially congratulated and were told the problem would be fixed by the college and the software's developers Skytech.

Later he ran a scan using commercial Acunetix vulnerability scanning software to check on progress and within minutes the phone at his parent's home started to ring he said. On the other end was Edouard Taza, the president of Skytech.

"He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed," the student said.

"He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."

Taza said that he did mention the legal and police situation to Al-Khabaz but has denied making any threats. The security hole in question was being fixed he said, and the firm is confident no-one's privacy has been breached, but he was concerned at the scanning software used.

"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake," he said.

Unfortunately for Al-Khabaz Dawson College didn't feel that way, and began an investigation for a for a "serious professional conduct issue." Al-Khabaz was called in for a meeting to discuss his future, which he said seemed to focus mainly around who knew about the problem with the college's code.

After the meeting a vote was taken among staff and his expulsion was confirmed by a vote of 14 to one. Al-Khabaz has appealed to the heads of the college but was turned down and is now in a difficult situation.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct," he said. "I really want this degree, and now I won’t be able to get it. My academic career is completely ruined."

But Dawson College has disputed his claims and says it stands by its decision. It says Al-Khabaz was formally warned to not repeat activities that he was being investigated for and was expelled for breaching those terms.

"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," said the educational institution in a statement.

A spokeswoman told El Reg that AL-Khabaz was praised for his resourcefulness in the initial report to his tutors, but a month later repeated unauthorized access to the software, which is run by a third-party supplier and "injected SQL code," according to his expulsion letter.

Skytech are so-far unavailable for comment about the precise nature of this SQL injection, but it's clear this case is going to take some time to sort out and we expect writs to start flying shortly. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.