A student at Montreal’s Dawson College was recently expelled following his discovery of a software vulnerability in an application used by most Quebec General and Vocational Colleges (CEGEP). The flaw, a result of what the student called ‘sloppy coding,’ could expose the personal data of more than 250,000 students across the province’s college system, Canada’s National Post reported.

Ahmed Al-Khabaz, the 20-year-old computer science student, found an error in a program called Omnivox while working on a mobile app to improve students’ access to their college accounts. Anyone with basic computer knowledge could access students’ personal information, including their social insurance numbers, contact information and class schedules, Al-Khabaz told the National Post.

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” he told the publication. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

When Al-Khabaz followed up to see if the vulnerability had been detected, he was contacted by Omnivox’s developer, Skytech, and informed there could be legal consequences, according to the National Post. Although Skytech took no further action, Dawson College, deeming Al-Khabaz’s behavior a “serious professional conduct issue,” expelled him.

After becoming something of an international cause, Al-Khabaz has since been offered a part-time job and a scholarship by Skytech, the Montreal Gazette reported. Data security expert Terry Cutler told the newspaper he thought the school should be grateful Al-Khabaz had made the discovery, as unsecured personal data is a major problem for Canadian organizations, and an incident could have cost Dawson millions of dollars. To avoid similar controversy and fallout, software vendors can look to adopt more secure development practices such as using source code analysis tools.

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

Software Security

About the Author: Chris Bubinas

With over a decade spent in web process analysis and optimization I now manage the web presence and online marketing channels for Klocwork. I love to follow technology, privacy and security issues online and am a technology geek at heart. I will try to post interesting news and developments in the software security industry. Dovahkiin!