School expels student for ‘unprofessional conduct’ after he discovers, tests system security vulnerability
A former Montreal college student is alleging that he was unfairly expelled from his college’s computer science program after he revealed a gaping cybersecurity flaw to school officials.
The security flaw, identified by 20-year old Ahmed Al-Khabaz, was what he described as “sloppy coding” that left more than 250,000 students’ personal information vulnerable to hackers and identity thieves, the National Post reported Sunday.
The computer system — Skytech’s Omnivox, used by most Quebec CEGEPs (General and Vocational Colleges) — contained such personally identifying information as home addresses, phone numbers and social insurance numbers.
Al-Khabaz found the flaw while he had been working on a mobile app to enable students with better access to their college accounts. Even his own personal information in the system was vulnerable because of the flaw.
He notified system administrators at his now-former school, Dawson College in Montreal, of the flaw out of a “moral duty to bring it to the attention of the college and help to fix it,” he told publication.
“I could have easily hidden my identity behind a proxy,” he said. “I chose not to because I didn’t think I was doing anything wrong.”
An initial meeting with Dawson’s Director of Information Services and Technology François Paradis in October had Al-Khabaz thinking that the school was grateful for his work. Both he and his colleague Ovidiu Mija were congratulated by Paradis, The National Post reported.
Two days later, Al-Khabaz reportedly used a program vulnerability scanner called Acunetix on the school’s network, without the school’s prior knowledge or approval, to see if the flaw had been fixed.
The unauthorized security scan triggered alerts of a system intrusion, prompting Skytech president Edouard Taza to personally call Al-Khabaza’s parents’ home, where he had been staying.
Taza accused Al-Khabaz of engaging in a cyberattack against Omnivox and warned of legal action, although he had denied making any threats against Al-Khabaz.
Fourteen out of 15 computer science professors at the school then voted to have Al-Khabaz expelled several weeks later in November, citing his “unprofessional conduct.”
Attempts to appeal the decision were denied by school administrators. Al-Khabaz has said that he is unable to get into another college because his grades were reduced to zeros.
He maintains that he did nothing wrong and that his academic career is “completely ruined.”
“In the wrong hands, this breach could have caused a disaster,” he told The National Post. “Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”
Director of Internal Affairs & Advocacy for the Dawson Student Union Morgan Crocket told publication that Dawson “betrayed a brilliant student to protect Skytech management.”
A petition to have Al-Khabaza reinstated was started, and as of 9 p.m. EST Monday, the petition obtained 4,353 signatures from around the world. Signatories hailed from across Canada, and as far away as Brisbane, Australia.
Hacktivists affiliated with Anonymous also reportedly attacked Dawson’s site as retaliation for Al-Khabaz’s expulsion, Crockett tweeted Monday.
Skytech has since offered Al-Khabaz a part-time job and scholarship to a private school should Dawson not reinstate him, a Skytech employee told Montreal Gazette Monday.
Follow Josh on Twitter