While developing an app to simplify remote access to the college portal, two Dawson College computer science students stumbled on a serious security vulnerability in the access portal which administered data for all students at their college. The vulnerability could be exploited to access personal data for all students on the system with very little effort. A total of 250,000 student records were reported to be affected.
The students, Hamed Al-Khabaz and Ovidiu Mija, reported the vulnerability to the head of the computer centre at Dawson College in Montreal, Canada. He congratulated them on their discovery and forwarded the report to the company behind the software. The students were assured that the vulnerability would be fixed immediately.
Two days later, Al-Khabaz was curious as to whether the company had kept its word. Shortly after accessing the company's web site using the web vulnerability discovery tool Acunetix, his phone rang. He found himself talking to Skytech president Edouard Taza. Taza told Al-Khabaz that the company considered his actions to be a malicious attack and threatened to call the police unless he signed a non-disclosure agreement, which Al-Khabaz duly did.
Taza has denied threatening the student, telling Canadian newspaper National Post that he merely mentioned the police and legal consequences. According to Taza, checking whether the vulnerability was still open crossed a line – using Acunetix without obtaining the consent of Skytech system administrators could, he claims, have crashed the server.
The student's second intervention provoked a draconian response from Dawson College. The student was first interrogated by college management on whom he had told
about the vulnerability.
Professors at the computer science department then voted to expel Hamed Al-Khabaz from the college, with only one of the 15 professors voting against.
Al-Khabaz lodged two appeals against the decision, both of which were rejected
. The expulsion letter says that Al-Khabaz "injected SQL code" into the system.Within just a few weeks, the model-student had become a pariah. His college record now states that he was expelled from Dawson College for unprofessional conducthttp://www.h-online.com/security/news/item/College-expels-student-for-reporting-security-hole-1789138.htmlheise
Company offers scholarship to Dawson student who exposed security flaws
The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship
by the company behind the software."We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.
but Dawson stands by its decision
In an interview with CBC's Homerun, Dawson director general Richard Filion said the school expelled Al-Khabaz based on the school's professional code of conduct.
"We're not doing this blindly, we're not doing this with happiness, but we had to consider a serious breach in these values and principles," said Filion.
The Dawson Student Union is appealing for the school to reinstate Al-Khabaz.
"Hamed is a brilliant computer science student who simply wanted to help his school," said Morgan Crockett, the union’s director of internal affairs and advocacy.
"Dawson College should be thankful for his talent and foresight
. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology."CBC