Updated 5.16pm with KSU response
Students have taken to social media to express their anger that their data was put at risk and four students arrested over exposing a security flaw in the popular app, FreeHour.
Times of Malta revealed on Tuesday that Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins were arrested, strip-searched and had their computer seized when they found a vulnerability.
The computer science students say they discovered that email addresses, location data and control of people’s Google calendars were all found to have been potentially vulnerable to malicious hackers.
FreeHour says the flaw was fixed within 24 hours.
However, the app's Instagram account, which has almost 54,000 followers, was inundated with angry messages from students.
“FreeHour? More like FreeData,” one person said, echoing a sentiment seen across the 150 comments.
“When’s the data giveaway happening?” another asked, in a sarcastic reference to the platform's regular giveaway events.
Local blogger Katrina Cassar took to Facebook to share her pride towards her friends who were “able to reveal a potential data leak”.
“FreeHour Malta - shame on you. A group of students found a flaw in your system and you had them arrested, strip-searched, and their devices taken away,” she wrote.
Responding to the backlash, FreeHour CEO Zach Ciappara posted a video to Instagram defending the company's decision to report the students.
“Our intent, and this is very genuine, our intent was to report this to cover us legally,” Ciappara said.
He said they had a legal obligation to report the matter to the relevant authorities and that it was never their intent to “go after these students directly.”
Since their report, Ciappara said that they have not been given updates on the investigation from police and that, even while reading the article, there were details that were new to them.
“Luckily no data was compromised and the flaw in the system was fixed in a few hours. Within 24 hours a patch was released which made everyone’s data secure,” he said while pleading for the case to settle itself “in the best way possible.”
Meanwhile, other students with Android phones noted that they did not have the option to delete their account from the app, which allows students to share their schedules.
“Can anyone figure out how to delete the app? I can only find a log out button,” one user said.
The option for a user to delete their account is still available for iOS users while Android devices do not have the option.
Pledge to cover legal costs
The University Students’ Council (KSU) expressed their disappointment that the group of students were arrested for their efforts.
“It is equally frustrating to see a set of outdated laws be misapplied in such a situation, coupled with the overly swift action taken by the police,” KSU President Alexandra Gaglione told Times of Malta.
As students become more mindful of their data security and safety, situations such as this one may lead to students becoming fearful of speaking against infringements of their own safety, she said.
“It is inconceivable to think that what started out as a well-intentioned warning to the company centred around the protection of sensitive user data has led to the students’ detriment.
“KSU will be approaching the students to cover any legal expenses they may incur,” she pledged.
A number of people have also contacted Times of Malta to offer to pay for their legal counsel.
Political support
Meanwhile the four students have received the support of ex-PN leader Adrian Delia.
“This is not a normal country,” he said, criticising the fact that the students were investigated “instead of being given help and a guarantee that things will be fixed”.
Delia also noted that FreeHour, which is part-owned by Lovin Malta, did not fulfil its obligation to inform all its users of the potential breach.
“We have yet another situation where the person who reports ends up being investigated!”
Human rights lawyer and former MP and MEP Therese Comodini Cachia also defended the students as they were arrested while the “professionals at FreeHour go scot-free for exposing students' information to hacking?!”
Political party Volt, called for legal amendments to ensure good Samaritan laws for ethical hackers.
“It is clear that the intention of the youths was in the interest of the public good and their aim was to have the firm fix its vulnerability,” the party said.
“The youths should not be punished for doing the company's job.”