Four computer science students are being investigated by the police after they found and highlighted a security weakness in Malta’s largest student application, FreeHour.
Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins were scanning through the software of the app when they found a vulnerability they say could be exploited by malicious hackers.
They emailed their findings to FreeHour’s owner and asked for a reward – or ‘bug bounty’ – for spotting the mistake.
But, instead of a payoff, the University of Malta students were arrested, strip-searched and had their computer equipment seized.
“All we ever wanted was to help,” Grigolo told Times of Malta.
The students say that the vulnerability they uncovered could have meant the potential leak of the private data of the users of the app, which allows students to share their college timetable with friends.
Email addresses, location data and control of people’s Google calendars were all found to have been potentially vulnerable.
In simple terms, every user is an admin without knowing it- Luke Collins
The computer science students claim that the vulnerability essentially allowed them to request whatever type of information they wanted from FreeHour’s servers.
They said the vulnerability also allowed them to make changes to the app’s interface which, on one occasion, they did to test if what they were seeing actually worked.
Normally, a server would see a request for private data, check who is requesting it – in this case, it was the students – and deny access as the user does not have the required authorisation.
However, they say that every piece of data requested was authorised by the server and given.
“In simple terms, every user is an admin without knowing it,” Collins said.
The students said they also realised that FreeHour’s servers use Parse, a backend structure for applications, and that it had been left in its default state rather than having its security settings changed.
Parse’s own user guide warns apps that a failure to properly adapt it could make it vulnerable to “malicious intrusions, data leaks and unexpected cost increases”.
Let’s let them know
Following the discovery, the group decided to send an e-mail to FreeHour on October 18 last year informing them of the vulnerability and urging them to fix it.
They also gave them a three-month deadline to secure the vulnerability before they would disclose it to the public.
In the e-mail, they also mentioned that they may be able to claim a bug bounty for their efforts.
Bug bounties are prizes that companies offer when people notify them of mistakes or bugs in their software. The students did not put a price on their find and did not ask for money. However, a month after sending the e-mail to FreeHour, Scerri, Grigolo and Debono were arrested from their homes and taken into custody where they were strip-searched and questioned.
When the police arrived, they had a warrant for their arrest under suspicion of unauthorised access. The warrant also included a police search which led to most of their tech and equipment being confiscated.
Originally, the authorities told them that their items would be returned within several weeks but they are still waiting.
At the time of his cohort’s arrests in November, Collins was in England studying for his PhD. He was questioned when he returned to the country for Christmas.
During the interviews, they said the police questioned them as to whether the group had been given explicit permission from FreeHour to test the systems.
They argued that, as they had identified themselves to the server, which then gave them access to what they were requesting, they had therefore been given authorisation.
Four years in prison
The students are being investigated under Article 337 of the Criminal Code, which makes it illegal to access an application without being “duly authorised by an entitled person”.
The crime carries a punishment of up to four years in prison and a maximum fine of €23,293.
FreeHour founder and CEO Zach Ciappara said that, once he received the e-mail from the four students in October, he contacted the office of the Information and Data Protection Commissioner (IDPC) and the Cyber Crime Unit for advice.
“We are pleased to report that no user data was compromised and the vulnerability was addressed within 24 hours,” he said.
“It’s important to note that we were legally bound to file a report of the potential data breach and did so within the legal deadline.
“This experience serves as a valuable reminder of the risks inherent in the industry we operate in and the responsibility we bear. We express our gratitude to the competent and supportive parties who aided us in addressing this issue.”
The police declined to answer any questions, citing ongoing investigations.
The Information and Data Protection Commissioner Ian Deguara also declined to comment due to ongoing investigations.