Canadian College Student Allegedly Expelled for ‘Reporting Bug’
Computer Science student Ahmed Al-Khabaz was reportedly expelled after reporting a security hole in the Omnivox software application its college was using.
The story, as per the report in the National Post, goes like this: while working on a mobile app to let fellow students access their college accounts, 20-year old Al-Khabaz stumbled on a serious bug that would allow anyone unrestricted access to the 250,000-member student directory. Among others, the bug allowed access to both personal information, such as social insurance number, home address and phone number and academics (class schedules).
Al-Khabaz reportedly disclosed the flaw to his professor, who told him the issue would be fixed by Omnivox maker Skytech in an update. Three days later, Al-Khabaz used a vulnerability scanner application at the college’s web application to see if the issue had been fixed. He immediately got a phone call from Skytech president Edouard Tarza.
“He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed,” said Ahmed Al-Khabaz. He got expelled the next day for a “serious professional conduct issue.”
The expulsion triggered a series of protests from the Dawson Student Union, which claims the decision was taken to downplay the importance of the security issue in the Omnivox application. An online petition to help Ahmed has been also posted online shortly thereafter.
Word of advice here: while figuring out bugs and reporting them helps both customers and software companies, probing a web application with commercial-grade penetration testing tools is neither ethical, nor legal. Any software developer with a reputation will gladly take feedback and criticism to improve the quality of their applications based on real-life feedback from the market. But shaking down a web-server to hunt for bugs without proper authorization can have nefarious consequences that are not short of a real attack. So, unless it’s your server or you have the written permission from its owner, keep your hands and scripts off it at all times.