Canadian Hamed Al-Khabaz was expelled for revealing holes in his college's network but has now been taken on by the developer.3:41pm UK, Wednesday 23 January 2013
Dawson College where Mr Al-Khabaz studied (photo: Safesolvent.com)

A Canadian student who exposed a security weakness in his college's database has been offered a job by the computer firm which made the software.

Hamed Al-Khabaz had been expelled from the higher education establishment in Montreal for exposing the flaw, but has now been thrown a lifeline by the company he embarrassed.

The 20-year-old had found that it was possible to access the social security numbers and contact information of other Quebec students just by changing a few numbers in web addresses.

After he went public and then tried to test whether the potential breach had been fixed, Dawson College decided he had broken its rules and expelled him.

But then the firm which designed the database stepped in and handed him a scholarship and employment.

Edouard Taza, the president of Skytech Communications, told Canada's CBC News: "We will offer him a scholarship so he can finish his diploma in the private sector."

He added that Skytech had offered him a part-time job in information technology security.

Mr Al-Khabaz had stumbled upon the flaw while working on a mobile application for the college's website. Dawson College is a pre-university higher education establishment.

Its website runs a programme called Omnivox which allows students to make changes to their timetable online.

Omnivox also stores thousands of social insurance numbers, home addresses, phone numbers and other information that was vulnerable even to a novice hacker, according to Mr Al-Khabaz.
Hamed al Khabaz has been offered a new job. (photo: Safesolvent.com)
He found that by changing a few characters in the URLs - the specific numbers of individual web pages - he could potentially access the details of up to 250,000 other students across Quebec.

He reported the flaw to Dawson College and was praised for doing so but then, several days later, decided to test whether anything had been done about it.

As soon as he did so, he received a call from Skytech threatening him with police action for computer hacking if he did not sign a non-disclosure agreement.

He was then told he was being expelled from Dawson College, given zeros for his earlier college work and would have to pay back thousands of dollars in grants.

It looked hopeless until Skytech realised that it was in their interest to employ someone who had proved themselves capable of testing their systems thoroughly.

Mr Al-Khabaz said: "This wasn't a game for me, it was my moral duty to protect the students' data.

"If I was really acting maliciously, I could have concealed my identity, stolen all of that information and sold it. But instead I alerted the right people; I just tried to make sure they were following through and fixing the site's weaknesses."

The college stood by its decision to expel Mr Al-Khabaz, saying it had warned him not to attempt to breach the computer system.

In a statement to CBC News it said: "When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student."

A statement on Skytech's website said: "We believe that this event should not prevent this gifted student who helped to find a security problem, doing what he loves the most.

"We will ask the student to work for us on mandates in computer security, so that he can work in the field he loves."

http://news.sky.com/story/1041705/student-who-exposed-it-flaw-offered-job