A student at Montreal’s Dawson College has been expelled after pinpointing a flaw in the Omnivox web portal software that could allow an attacker to access records of thousands of students.
20-year-old computer science major Ahmed Al-Khabaz was busy developing a mobile app that worked in tandem with Omnivox when he discovered “sloppy coding” that could have easily led to the second massive education-related data breach in Canada. The last one happened less than a month ago.
Al-Khabaz quickly reported the vulnerability to the Directory of Information Services and Technology, who extended congratulations to the student and his collaborator for their discovery. The duo were told that Skytech — the company that develops the Omnivox software — would be alerted immediately so that a fix could be implemented. Omnivox is in use at hundreds of colleges and universities in Canada, so it’s quite likely that the exploit could have affected schools other than Dawson, too.
No alarm bells had gone off yet, but when Al-Khabaz decided to fire up the Acunetix web exploit testing kit to see if the hole had been patched Skytech took notice. Skytech noticed the activity in its log files and subsequently informed Al-Khabaz that he was breaking the law and could face charges and possibly jail time. Edouard Taza, president of Skytech, admitted being impressed with the students’ ability to spot the flaw, but noted that the use of Acunetix crossed a line.
And apparently Dawson College agreed. The computer science department voted 14 to 1 to expel Al-Khabaz, who has now seen his straight-A grades reduced to zeroes across the board. A pair of attempted appeals were denied, and he’s now left wondering what his academic future will hold.
Al-Khabaz told The National Post that if it wasn’t for their discovery, “Students could have been stalked, had their identities stolen, their lockers opened and who knows what else.” He added, “I found a serious problem, and tried to help fix it.”
It’s hard to believe that another college in Canada won’t step up and turn a blind eye to the expulsion in the wake of all this publicity, but it’s too bad that a student that was operating in the open to protect his classmates had to be made an example of.
Via Geek.com