Information Security News
mailing list archives
Canadian student expelled for playing security "white hat"
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 22 Jan 2013 00:19:58 -0600 (CST)
By Sean Gallagher
Jan 21 2013
A 20-year-old Canadian computer science student has become, depending on your
point of view, a martyr for computer security or a cautionary tale for students
and others who take an interest in exposing security flaws in software
products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the
security of a student information system used by over 250,000 students, the
school's administration said his acts were a "serious professional conduct
issue" and expelled him. Now, fellow students are demanding his reinstatement,
and the college and its software provider are facing a publicity and security
Al-Khabaz and another student reported finding a security flaw in the mobile
application for Omnivox, a Web-based software package developed by
Montreal-based Skytech Communications that is used by students to access and
manage their personal information and college services—including their Social
Insurance numbers, the Canadian equivalent of US Social Security numbers.
Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz
told the National Post that the software had "sloppy coding" that allowed
anyone "with basic knowledge of computers to gain access to the personal
information of any student"—including virtually all of the personal data the
college had collected on them.
When Al-Khabaz and fellow student Ovidiu Mija reported the problem to the
school's director of Information Services and Technology, they were initially
congratulated for finding the flaw and were told it would be fixed immediately.
But it was Al-Khabaz' next step that landed him in trouble with the school. Two
days later, he decided to check to see if the flaw had indeed been fixed, using
a site security scanning tool called Acunetix.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
- Canadian student expelled for playing security "white hat" InfoSec News (Jan 22)