Student expelled for using web vulnerability scanner
20-year-old student Ahmed Al-Khabaz (Ahmed Al-Khabaz) is expelled from the Faculty of Computer Science of Montreal College. The reason was that he twice launched a web vulnerability scanner on the institution’s website - and found a dangerous vulnerability in the Omnivox training portal, which is used by almost all Quebec colleges and universities. Thus, he allegedly “compromised” the private data of 250 thousand students.
A student at Dawson College (Montreal) and a member of the local computer club, Ahmed worked on a mobile application that would make it easier for students to work with their data on the training site. While working on the program, he and his colleagues discovered the aforementioned vulnerability in Omnivox. Due to “careless coding”, anyone with basic computer knowledge can gain access to any student’s profile in the system, including a social security number, home address, phone number, class schedule, and everything else.
When Ahmed discovered the vulnerability, he considered it his moral duty to inform the college management about it. “I could easily hide my identity behind a proxy. But I didn’t do it because I didn’t think that I was doing something bad, ”the student says in an interviewCanadian newspaper National Post.
Ahmed and his friend, also a programmer, were invited to meet with the college’s director of information technology. He thanked them for their work and promised that they, together with Skytech, the developer of the Omnivox system, would close the vulnerability in the near future.
Two days later, Ahmed decided to check whether they closed the hole or not. He launched Acunetix Web Vulnerability Scanner, and literally right there his house called from Skytech. The company president personally called - he said that for the second time he saw Ahmed in his logs, and what he was doing was called a cyberattack. Ahmed apologized several times and explained that it was he who discovered the vulnerability that he had reported a couple of days ago, and now he just checked that it was closed. Skytech’s president said the guy could face 6 to 12 months in prison if he doesn't come right now and sign the NDA (non-disclosure agreement), which the student did. According to this document, he was not entitled to disclose any information found on Skytech servers, or any other information that relates to Skytech and their software and methods of accessing the servers.
The agreement also prohibited the disclosure of an agreement.
In an interview with National Post, the director of the company later explained that there were bugs in each software, and Ahmed and his friend found a tricky bug in security, but using the scanner was already a violation. Such programs, he says, can only be used by first notifying the server owner.
The college leadership learned about the student’s “misconduct”, which initiated the process of expelling him for “serious professional conduct issue”. After discussion, the issue was put to a vote among 15 professors of the Faculty of Computer Science, and 14 of them voted for the exception. Ahmed himself considers it unfair that he was not given the opportunity to explain the situation personally to the faculty council.