Since when is a test account not for testing purposes? When pen testing web applications against an Omnivox student portal test server without previous authorization? Next, if a privacy law prohibits mentioning details about students, yet a college explicitly mentions a student by name while defending its position, has that college broken the law? Today’s confusing news about what happened in Canada to 20-year old Dawson College student Ahmed Al-Khabaz seems to be all over the place regarding the law and points of view. First the college congratulated him for finding and responsibly disclosing the serious security flaw, but try to avoid whiplash because the college then expelled Al-Khabaz, gave him zeroes across the board, and flagged him as risky for any other college to accept.
Montreal’s Dawson College computer science students Al-Khabaz and Ovidiu Mija were working on a mobile app that would allow easier access for the 10,500 Dawson College students’ accounts via the Omnivox student and faculty portal page. The Omnivox system is a management platform used by many “junior” colleges in Quebec, serving around 250,000 students. It’s used for everything college-related, from accessing grades, class schedules, assignments, pay student fees as well as sensitive personal information such as social insurance numbers, home addresses and phone numbers. The National Post reported that Al-Khabaz and Mija accidentally stumbled upon a security flaw due to “sloppy coding,” allowing “anyone with a basic knowledge of computers to gain access” to any of the 250,000 students’ personal information. They reported this vulnerability, were given a pat on the back from the college and a promise that the Omnivox contractor Skytech would fix the flaw within 24 hours.
Two days later, from the comfort of his home, curiosity got the better of Al-Khabaz and he used Acunetix software to see if the security flaw had been fixed. Moments later, the phone rang. “It was Edouard Taza, the president of Skytech,” Al-Khabaz told the National Post. Taza “said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”
An interview on CBC Daybreak details “how” the flaw was found as Al-Khabaz broke the NDA and told his side of the story. He said that it was his “moral duty” to check that the “super big leak” was fixed and to check if there were other flaws. Yet Acunetix told Daybreak that “the software was designed to replicate the methodology of a hacker” and said their manual states that you should not use the software on websites without having permission to test, and you should not test on a live website.
Yet Al-Khabaz said it wasn’t on the live website, but on a test server. He was “just trying to help and make sure the data was safe.” Regarding if he asked for permission first to run Acunetix, he said, “I thought it was pretty obvious from my point of view. They gave me a test account and it was made for testing purposes. It was actually also to let them know that they had other vulnerabilities. They didn’t really want to collaborate with us. And we had a lot of stuff; you could have banned the user from logging in, you could have changed somebody else’s password or reset it.” There were other vulnerabilities as well.
Dawson College told Al-Khabaz it was unprofessional conduct, college meetings said he had “criminal intentions,” and the college maintained that the “offense” could be “sanctioned under the criminal code, serious enough to put your future at stake.” Yet CBC Daybreak consulted a lawyer about Al-Khabaz’s case. The attorney said, “If anything, you may have breached the copyright act, not the criminal code, and even at that it would have to be demonstrated that you then used the information you found.”
For a confusing twist and turn, the sometimes heated and name-calling discussion on Full Disclosure seclists points to Canadian law that does make Al-Khabaz’s actions sound like a crime. While I most assuredly do not know the laws in Canada, (in the USA you must first have permission before hacking and attacking to test a website’s security) according to Dawson College Omnivox usuage conditions, “unauthorized access” is expressly forbidden. This includes, “Any attempt to access an account that is not your own constitutes fraudulent use liable to severe sanctions, including expulsion from your establishment. These sanctions are in addition to any other appropriate recourse in terms of civil or criminal law suits.” The Restrictions pertaining to the use of content include "Obstruct, perturb or use in an abusive fashion the services of Omnivox, its servers or the connected networks."
Conversely, “The Omnivox Technology used at Dawson College subscribes to very rigorous rules with regards to security and confidentiality. Every precaution has been taken so that the information pertaining to you is protected again any error, loss or unauthorized access,” is states under “security and confidentiality.” Clearly this was not true.
According to the Dawson College statement, “Under the terms of Quebec privacy laws, it is illegal to discuss the details of student files with individuals or with the media.” Yet the very next paragraph mentions the student by name, so does that break the privacy law? “In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision. The reasons cited in the National Post article for which the student was expelled are inaccurate.” It claims the student ignored a cease and desist order.
Dawson College director general Richard Filion told CBC's Homerun that the case couldn’t be discussed based on regulation restrictions, but dealt with a serious breach of the “values and principles” as well as the "professional code of conduct that all students from the computer science department are asked to abide by." Filion called it a “Criminal code access without authorization of computer service. It happened more than once thus this type of sanction.” It wasn’t reported to police.
Dawson College Student Union is in an uproar, trying to get Al-Khabaz reinstated. Yesterday the college site was inaccessible. Alex Simonelis, one of Al-Khabaz’s former Computer Science Department instructors, wrote a letter to the Montreal Gazette which mentions questions that the media did not ask. You can see exactly what Dawson College had to say in Al-Khabaz’s Letter of expulsion. 14 of 15 Dawson Computer Science professors voted to expel him; it also states that he "injected SQL code" into the system. Among others, the letter was signed by Ken Fogel, Coordinator and Chairperson of the Computer Science Technology Program at Dawson College in Montreal, Canada, who “specialize in courses on Java programming.”
While controversial, “Had Hamed not made his discoveries, the personal data of millions of Québec students, College and University staff, as well as alumni dating as far back as 1994 would have continued to be easily exploitable,” states the HamedHelped website trying to muster up help for Hamed. There are currently 11,527 people, and growing, who have signed the petition to Help Hamed. “We, the undersigned, call on Dawson College to immediately reinstate Hamed Al-Khabaz in their Computer Science program, refund all monies lost as a result of his unjust expulsion, and offer him a full public apology.”
According to Day one of going public, January 21, 2013, the Al-Khabaz site received “34,000 clicks. 22 interviews. 5,000 signatures. 7 job offers. 1 scholarship.”
One of those job offers was from Skytech which originally said, “The attack … made the College portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College portal out of order for the entire students and teachers population of Dawson.” Now Skytech has backpedaled away from saying it threatened police action over the “cyber attack,” says it considered Al-Khabaz’s actions helpful, and has offered him a part-time job at Skytech as well as a full scholarship to a private college. The "Internet" was not appeased since trying to access Skytech previously resulted in a “403 Forbidden: Access is denied” error.
Hopefully it all works out for Al-Khabaz as it must have for the other student involved, based on the fact there are not news stories flooding the wires about him. Yet the entire situation stinks: When is a test account not for testing purposes? If a privacy law prohibits mentioning details about students, how can that student then be mentioned by name? This sort of trouble is why some white hats would rather not report a security vulnerability. Let this serve as a cautionary tale…ask first before you hack that site and test it for vulnerabilities.