A computer science student from Dawson College in Montreal says he was expelled after he discovered security gaps in the college’s online student portal that exposed personal information that included social insurance numbers and transcripts of more than 250,000 students in Quebec.
Hamed Al-Khabaz, 20, said he came across flaws in the software used by the college while he was trying to create a mobile app that would give students easier access to their school accounts. As he probed into the portal used by students in Quebec’s CEGEP program, he found that by simply exchanging student numbers in the encrypted links, he could access information such as SIN numbers, transcripts and home addresses.
“It was completely insecure,” he said. “Anyone in the world could log in and access someone’s data.”
Al-Khabaz immediately alerted the head of information technology for the school about the breach in the Omnivox software used by the college. At first he was thanked for the discovery.
“At the time, the head of IT gave me a test server and test account to show him how vulnerable the system was,” said Al-Khabaz. “He was shocked.” The college called Skytech, the makers of the Omnivox software, to fix the security gap.
A few days later, Al-Khabaz decided to check himself — and that’s when his problems started.
He decided to run a program to test for the vulnerability of the site, and immediately received a phone call at home from Edouard Taza, the president of Skytech, who informed him that he was being accused of launching a cyber attack and that he could face jail time. He then gave him an option to sign a nondisclosure agreement, which he did.
Skytech did not pursue any charges or report the matter to authorities.
The school was not as generous. Al-Khabaz was called into the dean’s office, where he was called a “threat” and told that he had a “criminal and malicious intent.”
“That meeting didn’t go very well for me,” he said. “I tried to tell them that I was collaborating from the beginning,” he said.
After the meeting, the college gathered 15 professors in the computer science department to vote on whether to expel Al-Khabaz. Fourteen voted in favour of expulsion. Al-Khabaz said he didn’t attend the vote, and never had a chance to explain his side of the story. He tried to appeal his expulsion to the academic dean, but was denied.
The university has remained tight-lipped about the details of the expulsion, but issued a release on Monday stating that it stands by it’s a decision.
Since then, Al-Khabaz says that he was given zeros in all his classes. A note was left in his academic record saying that he was expelled for unprofessional conduct, leading him to think that “if I apply elsewhere, they would reject me.”
It’s not all bad news for Al-Khabaz. Morgan Crockett, the Dawson Student Union’s director of internal affairs and advocacy, confirmed that Taza had offered Al-Khabaz a scholarship so he can finish his diploma at a private college and offered him a part-time job in the IT security industry.
Khabaz said this is the first he had heard of the offer, but would be following up for more information.
The Dawson Student Union has taken up Al-Khabaz’s cause, and launched a website and an online petition to see him reinstated.