The vulnerability exposed the details of 250,000 students

Jan 21, 2013 09:57 GMT  ·  By

Unfortunately, there’s still a very thin line between security research and hacking. That’s the lesson learned by 20-year-old Ahmed Al-Khabaz, a computer science student at Dawson College in Montreal.

According to the National Post, Al-Khabaz identified a security hole in the Omnivox software – an application used by most general and vocational colleges in Quebec – while working on a mobile app designed to allow students to access their accounts more easily.

He found that because of “sloppy coding,” anyone with basic computer skills could gain access to the personal details of over 250,000 students, including their social insurance numbers.

The student immediately reported the flaw to the Director of Information Services and Technology, who promised that he and Skytech, the company responsible for developing Omnivox, would address the issue.

However, things started to turn ugly when Al-Khabaz wanted to verify if the security hole had been fixed. He used the Acunetix Web Vulnerability Scanner to test the website.

Shortly after, he was contacted by the president of Skytech who accused him of launching a cyberattack against the company. Skytech told the student that he could go to jail, unless he signed a non-disclosure agreement.

The student agreed to sign the non-disclosure agreement, but his problems were far from being over. Professors of his college’s computer science department decided to expel him for unprofessional conduct, without giving him the chance to say his side of the story.

In a statement provided to the National Post, Skytech representatives admitted that they had mentioned the legal implications of his acts when they called up Al-Khabaz, but they denied making any threats.

On the other hand, they do believe that the student had crossed the line when he ran Acunetix, arguing that such pieces of software could cause a system to crash.

Now, the student fears that his academic career is ruined because of the incident.