iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Four computer science students from the University of Malta who identified a major security vulnerability in popular student app FreeHour have been arrested and are currently under investigation by police.
The four students — Luke Collins, Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri — were scanning through the app’s software when they stumbled across a vulnerability, which they say could have resulted in private user data being leaked.
The app, which allows users to share their timetables with friends, could have left location data, email addresses and the Google calendars of user at risk, with the vulnerability allowing them to request whatever information they desired from the app’s servers.
“In simple terms, every user is an admin without knowing it,” said student Luke Collins.
Where a server would usually check a request for private data and deny unauthorised users, FreeHour granted access to any user to the requested information.
In addition, the students also said that the vulnerability allowed them to change the app’s interface, which was proven through a trial by the students.
Upon finding the vulnerability on 18 October last year, the students emailed the owner of FreeHour explaining the vulnerability, and while not asking for money, did suggest that they could be eligible for a “bug bounty”, an award that companies offer when individuals or groups notify them of bugs in their software.
The students gave the university a three-month deadline, after which they would expose the vulnerability.
However, the students instead had their devices taken and were arrested and strip-searched a month later.
Now, the students face up to four years in prison and a maximum fine of €23,293 (just over $38,000), charged with illegal, unauthorised access under article 337 of the Criminal Code.
Zach Ciappara, founder and chief executive of FreeHour, has said in a video that the company never pressed charges against the four students and that it was never the company’s intent to get them into trouble.
Ciappara said that following the email from the students, he contacted the Information and Data Protection Commissioner and the Cyber Crime Unit for advice and that the vulnerability was patched within 24 hours.
He also said that the company was legally required to file a report on the data breach within a certain deadline.
“Our intent was to report this breach to cover us legally. Our intent was never to get these students in trouble,” he said.
“When someone or anyone manages to gain access to your back end or exposes a vulnerability that puts data at risk, there’s a legal obligation to consult the authorities.”
It was at this point that FreeHour filed a report with the IDPC. “Under GDPR, we had to make this report,” Ciappara said.
In response to the incident, students have taken to social media, furious that their data was at risk in the first place and angry that the four students that exposed the issue were arrested.
Angry student comments can be seen on recent posts on the FreeHour Instagram page, like the one below.
View this post on Instagram
“You had 4 people arrested for pointing out a security flaw in your system, instead of claiming responsibility for your incompetence you push the blame onto someone else. It’s disgraceful and extremely irresponsible,” said one user.
“Does the Free in Freehour stand for ‘free access to private data’?” commented another.
Comments on the post also suggest that FreeHour removed the delete account button following the incident.
Be the first to hear the latest developments in the cyber industry.
