Pupil expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

Moral duty and big institutions don’t necessarily agree, especially in a field as “scary” as computing. Sometimes disclosing a vulnerability, while the right thing to do, sucks. What can you do?

Disclose vulnerabilities in a friendly way when possible.

I found a few bugs in a few sites towards the end of last year1. In both cases, I felt safe disclosing them to the site management: they’re both companies with good customer service, and a reputation for being approachable and doing the right thing. In one of the cases, I worked closely with a developer of the site to escalate the bug I found into a more serious one, while they worked on a fix.

What if the software owners are assholes?

Maybe disclose anonymously: Go to Starbucks, sign in to Tor, get a new Gmail account, and only ever use that Gmail account over Tor. If it’s received in a hostile manner, copy a full disclosure list, sell it, forget about it, it’s up to you.

If they can’t play nice, you can still do what you know to be the right thing.

Footnotes

1: You may even use the sites!