sickcodes
commented
1 year ago Wow this was actually terrifying
'We wanted to help': Students arrested after exposing FreeHour security flaw Students have been left angered over revelations that their data was potentially at risk. 'FreeHour? More like FreeData': Students angry over app's security flaw, arrests https://timesofmalta.com/articles/view/case-legalising-ethical-hacking-mark-said.1030454
| 2023-04-12 | FreeHour | Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins | Students arrested, stripped naked, violated by Police. | On October 18, four computer-science students emailed FreeHour about software vulnerabilities in their student timetabling app, with a hefty 90 day disclosure window. Alongside their responsible disclosure to FreeHour, the students asked if their good-faith advisory would be eligible for a possible bounty, once the bug had been patched. One or more imbeciles at FreeHour lied to the Police about the nature of the student activity. Scerri, Grigolo and Debono received serach warrants, all their homes were raided by the Police, and instead of receiving a bug bounty reward, they were heinously strip searched, had their computers violated as a result of the inadequeate response by FreeHour. Originally, the authorities told them that their items would be returned within several weeks but they are currently still having their right violated. Collins was in England studying for his PhD, yet was questioned when he returned to the country for Christmas. FreeHour founder and CEO Zach Ciappara said that, once he received the e-mail from the four students in October, he contacted the office of the Information and Data Protection Commissioner (IDPC) and the Cyber Crime Unit for advice. After the situation began to escalate for FreeHour, the CEO subsequently published a statement on Instagram. According to another statement, "Due to the mention of payment, changes to the app’s front end & a 90 day ultimatum, FreeHour was legally advised to report this to the Police as a potential threat. The company is starting to do cyber now, and is apparently committed to doing so on an ongoing basis. "We are also willing to work with the four students to assist in improved security, and to implement new measures. Moreover, we are undergoing internal training in INFOSEC, GDPR and data integrity," CEO Zach Ciappara added. It is unclear whether the students would be willing to work with the company again, given they were stip searched, raided, violated, and arrested. |
https://timesofmalta.com/articles/view/we-wanted-help-students-arrested-exposing-freehour-security-flaw.1024757 'We wanted to help': Students arrested after exposing FreeHour security flaw Police investigate four students who discovered vulnerability in application
Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins were scanning through the software of the app when they found a vulnerability they say could be exploited by malicious hackers.
They emailed their findings to FreeHour’s owner and asked for a reward – or ‘bug bounty’ – for spotting the mistake.
But, instead of a payoff, the University of Malta students were arrested, strip-searched and had their computer equipment seized. [..]