College expels student for re-testing security hole

While developing an app to simplify remote access to the college portal, two Dawson College computer science students stumbled on a serious security vulnerability in the access portal which administered data for all students at their college. The vulnerability could be exploited to access personal data for all students on the system with very little effort. A total of 250,000 student records were reported to be affected.

The students, Hamed Al-Khabaz and Ovidiu Mija, reported the vulnerability to the head of the computer centre at Dawson College in Montreal, Canada. He congratulated them on their discovery and forwarded the report to the company behind the software. The students were assured that the vulnerability would be fixed immediately.

Omnivox, the administration package involved, is made by Canadian company Skytech and collates all personal data of the students. According to the vulnerability's discoverers, "a basic knowledge of computers" was all that was required to gain access to personal data pertaining to any student on the system, including home addresses, phone numbers, timetables and social security numbers. Omnivox is not just used by Dawson College – the system is being utilised by many major Canadian higher education institutions.

Two days later, Al-Khabaz was curious as to whether the company had kept its word. Shortly after accessing the company's web site using the web vulnerability discovery tool Acunetix, his phone rang. He found himself talking to Skytech president Edouard Taza. Taza told Al-Khabaz that the company considered his actions to be a malicious attack and threatened to call the police unless he signed a non-disclosure agreement, which Al-Khabaz duly did.

Taza has denied threatening the student, telling Canadian newspaper National Post that he merely mentioned the police and legal consequences. According to Taza, checking whether the vulnerability was still open crossed a line – using Acunetix without obtaining the consent of Skytech system administrators could, he claims, have crashed the server.

In the National Post, Taza describes the discovery of the vulnerability as smart. Reports from other media sources state that in order to access student personal data, an attacker would merely need to swap a sequence of numbers in the URL.

The student's second intervention provoked a draconian response from Dawson College. The student was first interrogated by college management on whom he had told about the vulnerability. Professors at the computer science department then voted to expel Hamed Al-Khabaz from the college, with only one of the 15 professors voting against. Al-Khabaz lodged two appeals against the decision, both of which were rejected. An apparent copy of the expulsion letter says that Al-Khabaz "injected SQL code" into the system.

Within just a few weeks, the model-student had become a pariah. His college record now states that he was expelled from Dawson College for unprofessional conduct. The result is that Al-Khabaz is unable to find another Canadian higher education institution willing to offer him a place. The Dawson College Students' Union is supporting the student and has set up a web site to collect support for reversing the decision to expel him. Morgan Crockett of the Students' Union believes that the college betrayed Al-Khabaz to protect Skytech's image.

Various Canadian media have now picked up on the story and the media storm looks like it is starting to bear fruit. Skytech boss Taza told CBC News that the company has offered Al-Khabaz a scholarship to enable him to complete his degree at a private higher education institution. He also told the media outlet that he had offered the student a part-time position in the company's information security department. Dawson College, by contrast, is sticking to its guns, claiming that Al-Khabaz breached its code of conduct and that his expulsion was justified.

(fab)