College administration alleges Ahmed Al-Khabaz was warned not to test the system a second time
reinstated in Dawson’s Computer Science program.
After finding a glitch in Dawson College’s data system that could expose the personal information of students and staff, Ahmed Al-Khabaz was expelled.
Al-Khabaz was accessing the Montreal college’s messenger program with a friend when he first discovered the problem.
He was using the college’s messenger app when he discovered his friend could see his profile picture without being logged into his account.
“This is when it hit me, and this is when I started trying to see how it works,” says Al-Khabaz.
He found that he could find students’ SIN numbers, addresses, grades, locker information, and schedule and that he could make changes on their behalf.
He says a glitch of this kind means the entire college’s personal information could potentially be stolen, so he immediately notified the school of his findings and offered to demonstrate the problem to them.
“At the beginning, they really didn’t trust me, but with a bit of convincing, we began a demo in front of the head of the IT department,” says Al-Khabaz.
After demonstrating the glitch using a test account on a test server, Al-Khabaz says the head of Dawson’s IT department was surprised and thanked him and his friend, assuring him the problem would be fixed.
Once notified of the security breach, the college contacted Skytech—the developers of the Omnivox software, which is the software system used at the college—to get the glitch fixed.
The school, although pleased that Al-Khabaz notified them of the potential security problem, did not approve of how he found it, as it was a breach of his program’s professional code of conduct.
“We thanked him for his vigilance, but he was told his behaviour was not part of the professional code of conduct and that he would be subjected to certain terms of a sanction,” says Donna Varicca, Dawson College’s communications coordinator. “Some of his web rights were revoked for a period under the stipulation that his activity would cease.”
Al-Khabaz, who at that time was in the computer science program in Dawson College, says he was told the glitch would be fixed. Because of how he discovered the problem, Al-Khabaz was told not to attempt to do so again, as it would breach the professional code of conduct of his program.
However, a few days later, Al-Khabaz went onto the Omnibox website to test if the problem had been solved.
“I was trying to get [into the system] using the same method as before, which alerted Dawson College and Skytech as somebody was trying to invade their servers,” says Al-Khabaz.
Al-Khabaz says he was then immediately contacted by Skytech.
“They told me they were going to call the RCMP, and that I could spend six to 12 months in prison, but since I helped find the glitch in the system, they wouldn’t press charges if I told them the rest of the issues I found,” says Al-Khabaz.
After notifying the school of the remaining glitches, he signed a nondisclosure agreement with Skytech, but Dawson College was not as forgiving about the situation.
When attempting to enter the system the second time, Al Khabaz had breached the sanctions placed upon him by the university and was expelled.
“If you’re in a career program, you’re being taught and prepared to go into the workforce, and there’s a certain set of standards that one works by,” says Varrica. “If you’re in blatant disregard of that code, then there are sanctions and consequences for your actions.”
After being expelled, Al-Khabaz met up with a civil lawyer who helped him with his appeal letter, but Dawson College did not reverse the expulsion.
Al-Khabaz decided to seek help from the Dawson Student Union.
“I’m really blessed to have them behind me,” he says.
The Dawson Student Union is currently appealing to reinstate Al-Khabaz into school.
Hamid Adem, Assistant News Editor
