| ||Thread Tools|
|22nd January 2013, 07:57||#1|
Join Date: May 2010
Student kicked out for exposing huge security flaw
A computer science student at Montreal's Dawson College managed to identify a security flaw in the computer system used by numerous colleges in Quebec. The flaw compromised the security of 250,000 students' personal information, but instead of getting a pat on the back, the student was expelled from the school.
20-year-old Ahmed Al-Khabaz was working on a mobile app to allow students easier access to their college account, but in the process he and a colleague discovered what they describe as "sloppy coding" which would allow easy access to personal information listed on the system. Al-Khabaz said the flaw would make it possible for anyone with basic knowledge of computers to gain access to social insurance numbers, phone numbers, home addresses and even class schedules.
"I saw a flaw which left the personal information of thousands of students, including myself, vulnerable," said Al-Khabaz. "I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong."
The college tech director praised Al-Khabaz and his colleague Ovidiu Mija for their work and promised that he would work with Skytech, the makers of the system, to address the flaws. However, two days later Al-Khabaz ran another security check to make sure the problems were corrected and a few minutes later he got a call from Edouard Teza, the president of Skytech.
Teza told Al-Khabaz that what he was doing was tantamount to a cyber attack and then went on to threaten him with criminal charges and arrest.
"I apologised, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement," said Al-Khabaz.
In the end, Al-Khabaz was expelled and the NDA prevents him from discussing confidential information he found on Skytech servers, or any information relating to Skytech, under pain of further legal consequences.
Taza told the National Post that he did contact Al-Khabaz and that he "mentioned" police and legal consequences, but did not make any threats, as if "mentioning" legal action and involving the police is not a threat.
|Thread||Thread Starter||Forum||Replies||Last Post|
|Samsung plant guilty of exposing female worker to carcinogens||Stefan Mileschin||WebNews||0||17th December 2012 10:42|
|Facebook security flaw allows account access without passwords||Stefan Mileschin||WebNews||0||5th November 2012 07:48|
|First Critical Windows 8 Security Flaw: Logon Passwords Stored in Plain Text||jmke||WebNews||0||15th October 2012 10:25|
|HP Sued Over Security Flaw in Printers||Stefan Mileschin||WebNews||0||12th December 2011 09:06|
|Apple Kicks Developer That Found iOS Security Flaw||Stefan Mileschin||WebNews||0||8th November 2011 08:21|
|Security Flaw Links BitTorrent Users to Skype Accounts||Stefan Mileschin||WebNews||0||21st October 2011 09:06|
|High risk security flaw found in Office 2007||jmke||WebNews||0||25th February 2007 10:37|
|Huge Security Hole Found in Symantec Antivirus Software||jmke||WebNews||0||27th May 2006 15:42|
|Windows XP Security flaw||jASjE||Hardware/Software Problems, Bugs||5||11th September 2002 20:51|