A student from Montreal Dawson College has been expelled from the school with failing grades after exposing a security flaw in a computer system used by a number of Quebec general and vocational colleges. The "sloppy code" found by Ahmed Al-Khabaz and a fellow student reportedly put the personal information of some 250,000 students at risk, according to a report from the National Post of Canada.
Al-Khabaz and Ovidiu Mija discovered the security flaw last fall. After running a test to confirm the risk was legit, the computer science student said that anyone with basic knowledge of computers could gain access to personal information like social insurance number, home address, phone number and even class schedule - or pretty much all information that the college has on a particular student.
The duo brought the issue to the attention of Francois Paradis, Director of Information Services and Technology at the school. They were congratulated and left with the promise that Skytech, the company behind the flawed software, would fix the issue immediately.
Two days later, Al-Khabaz decided to check the vulnerability a second time to see if the company had fixed the problem yet. Moments later, his phone rang - it was Edouard Taza, the president of Skytech. According to Al-Khabaz, Taza said the security check boiled down to a cyber attack and he could be arrested unless he signed a non-disclosure agreement to keep him quiet about the incident.
Taza later told the publication that he recalled mentioning police and legal consequences but there were no threats or non-disclosure agreements. He said the company was able to fix the problem immediately before anyone could access private information. The executive said he was please with the work of the students but Al-Khabaz's use of the testing software crossed a line. Ultimately, Taza said the student simply made a mistake and there was no indication of malicious intent.
The school, however, wasn't as forgiving. After meeting with the coordinator of the department and the school's dean, the 15 professors in the department were asked to vote whether or not to allow Al-Khabaz to remain in school. 14 voted to kick him out of the college.
"I was acing all of my classes, but now I have zeros across the board," Al-Khabaz said. "I can't get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won't be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled."