Dawson student expelled after finding student portal security flaw
Published Monday, January 21, 2013 3:37PM EST
A student who was expelled from Montreal’s Dawson College after discovering security flaws in the online portal used by post-secondary students across Quebec said there was no criminal intention behind his actions and wants to be allowed back to class.
Hamed Al-Khabaz was expelled last November after he found “massive shortcomings” in the Omnivox software created and operated by Skytech Communications. The flaws left the personal data, including the social insurance numbers, of more than 250,000 current students and millions more past students vulnerable to theft, he said.
Al-Khabaz, a 20-year-old computer science student in his second year, said he discovered the flaw on Oct. 20, when he was logged in to his profile and sent a friend a link to his profile picture. The friend, who was at another computer, could see Al-Khabaz’s picture even though he was not logged in to the system.
Al-Khabaz said it took him and his friend 20 minutes to figure out that by decoding the encrypted links, inserting other student identification numbers in plain text and then re-encrypting the links, he could access other students’ profiles.
“The main issue is the whole system is based on this encryption,” Al-Khabaz told CTVNews.ca in a telephone interview. “So we’re talking about social insurance numbers, we’re talking about grades, we’re talking about schedules… a lot of stuff. All our student information, all our lives are stored in that database.”
Al-Khabaz said he met with the school’s head of information technology a few days later to demonstrate the flaw, and was told the problem would be fixed immediately.
Two days later, he confirmed the fix had been done, but found other problems. During these checks, Al-Khabaz said he received a call from an official at Skytech, which was getting messages that someone was trying to gain unauthorized access to the system.
Al-Khabaz said he was accused of launching a cyber-attack and threatened with jail and a lawsuit. Al-Khabaz said he wanted to help the company close the security loopholes, and so signed an agreement that he would hand over all of the information about the flaws that he had discovered in exchange for agreeing to not speak publicly about his findings.
The company also agreed not to take legal action against him, he said.
Skytech Communications did not immediately respond to both a phone and email request for comment.
However, Skytech president Edouard Taza told the National Post that while he mentioned legal and police consequencesin his call to Al-Khabaz, he did not utter threats.
“All software companies, even Google or Microsoft, have bugs in their software,” Taza told the Post. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”
Al-Khabaz said he was happy to collaborate with the company and help them to find solutions. However, Dawson College decided on Nov. 14 to expel him from the school. The school rejected his appeals and he now must repay nearly $5,000 in bursaries and loans.
School officials would not discuss the specifics of Al-Khabaz’s case, citing Quebec privacy laws.
However, a statement provided to CTVNews.ca outlined the steps the school takes before a decision is made to expel a student.
“The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student,” the statement said.
“When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student.”
Al-Khabaz said he did not receive any such advisory from the school before he was notified of his expulsion. And he is concerned that his student file contains a note in which he is accused of not only breaching the school’s code of conduct, but also having criminal intentions, which he denies.
“I thought it was my moral duty,” he said, of checking up on the fix and looking for more potential security flaws. “I thought what I was doing was right for checking that fix.”
Al-Khabaz said he is afraid he won’t be able to continue his studies at another school because he was given zeroes on his courses for this semester and due to the note on his file.
The Dawson Student Union has launched a website, hamedhelped.com, where supporters can sign a petition demanding that Dawson College reinstate and apologize to Al-Khabaz.
"Hamed is a brilliant computer science student who simply wanted to help his school," Morgan Crockett, director of internal affairs and advocacy of the Dawson Student Union, said in a statement.
"Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology."
Meanwhile, school officials say they are confident that student data is safe.
Communications officer Donna Varrica said once it was brought to the school’s attention, the security flaw “was redressed within a matter of hours.”
“Our security systems have been upgraded and we now constantly monitor systems to maintain the integrity of our student information,” Varrica said, suggesting that the publicity about Al-Khabaz’s case “will surely incite other hackers to try their hand.”