Students are expelled for using a web vulnerability scanner

Ahmed Al-Khabaz, a 20-year-old student (Ahmed Al-Khabaz), is expelled from the computer science department at the Montreal College. The reason was that he twice launched a web vulnerability scanner on the school’s website — and found a dangerous vulnerability in the Omnivox training portal that almost all Quebec colleges and universities use. Thus, he allegedly “put at risk” the private data of 250 thousand students.



A student at Dawson College (Montreal) and a member of the local computer club, Ahmed, worked on a mobile application that would make it easier for students to work with their data on the training site. While working on the program, he and his colleagues discovered the above vulnerability in Omnivox. Due to “careless coding,” anyone with basic computer knowledge can access any student’s profile in the system, including the social security number, home address, telephone number, class schedule, and everything else.



When Ahmed discovered vulnerability, he considered it his moral duty to report it to the leadership of the college. “I could easily hide my identity behind a proxy. But I did not do this because I did not think that I was doing something bad, ”the student said in an interview with the Canadian newspaper National Post.

')

Ahmed and his friend, also a programmer, were invited to meet with the information technology director of the college. He thanked them for their work and promised that they, together with Skytech, the developer of Omnivox, will close the vulnerability in the near future.



Two days later, Ahmed decided to check whether they closed the hole or not. He launched the Acunetix web vulnerability scanner , and literally right there called to him from Skytech. The president of the company personally called - he said that he was seeing Ahmed for the second time in his logs, and what he was doing was called a cyber attack. Ahmed apologized several times and explained that it was he who discovered the vulnerability that he had reported a couple of days ago, and now he was just checking that it was closed. The president of Skytech said that the guy faces 6 to 12 months in prison if he doesn’t come and sign the NDA (non-disclosure agreement) right now, which the student did. According to this document, he did not have the right to disclose any information found on Skytech servers, or any other information that relates to Skytech and their software and ways to access the servers.



The agreement also prohibited the disclosure of the existence of an agreement.



In an interview with National Post, the director of the company later explained that there are bugs in every software, and Ahmed and his friend found a tricky security bug, but using a scanner was already a violation. Such programs, he says, can only be used before notifying the server owner.



The leadership of the college learned about the “misconduct” of the student, who initiated the procedure of his deduction for “serious violation of professional ethics” (serious professional conduct issue). After discussion, the question was put to the vote among 15 professors of the Faculty of Computer Science, and 14 of them voted for the exception. Ahmed himself considers it unfair that he was not given the opportunity to explain the situation personally before the faculty council.