Ahmed Al-Khabaz, who was studying computer science at the Dawson College, discovered that the student software managing their college accounts had a significant flaw that could allow any user to retrieve students' personal information, according to the National Post. Read More ..
Al-Khabaz brought the issue up with the college, who thanked Al-Khabaz and colleague fellow student who discovered the flaw with him, and was told that the college would work with the creator of the software, Skytech, to ensure it was fixed. The software in question — Omnivox — is also in use at a number of other universities.
When Al-Khabaz tested the system two days later, he received a phone call from Skytech President Edouard Taza, who, according to Al-Khabaz's account of the incident, threatened to have him arrested unless he signed a non-disclosure agreement, which, in addition to preventing him from discussing the issue, also prevented him from disclosing that such an agreement even existed.
Al-Khabaz had used a toolkit called Acunetix to test whether the flaw still existed. It typically tests for common vulnerabilities, such as cross site scripting flaws or for where developer has failed to protect against SQL injection attacks. Many of the tests can simply be attempted manually, but probing web applications falls into a relatively grey area, legally and ethically.