We’ve all heard about the four computer science students at the University of Malta that have been arrested after discovering a security flaw in Malta’s largest student application, FreeHour. The students claim that their efforts to warn the company about the vulnerability and the potential for a data breach were motivated by a desire to help protect users, not to exploit or harm them. However, their arrest and the confiscation of their equipment have prompted concerns that similar instances of ‘white-hat’ hacking could deter others from reporting flaws in software, thereby leaving users’ data vulnerable to malicious attacks. The issue of bug bounties also raises questions about how companies should compensate security researchers who identify flaws in their systems.
While it’s understandable that companies and app owners want to protect their systems, this situation highlights the potential problems with criminalizing white-hat hacking. These students were not trying to cause harm or profit from their discovery; they simply wanted to help the company fix a security flaw. However, their actions have now resulted in criminal investigations and potential punishment.
This outcome may deter others from trying to do the right thing in the future, as they may fear similar consequences. It could also encourage people to try and extort money or sell data to the highest bidder, rather than reporting the problem to the company.
It’s important to note that white-hat hacking, also known as ethical hacking, is not the same as illegal hacking. White-hat hackers are security experts who attempt to find vulnerabilities in systems and applications so that they can be fixed before they can be exploited by malicious hackers. This type of hacking is often done with the explicit permission of the company or organization being tested.
In this case, the students did not have explicit permission to test the app, but they did identify themselves to the server and believed they had been given authorization. It’s a grey area, but it seems that the students’ actions were well-intentioned and not malicious.
The use of police resources to investigate and potentially punish the students raises several concerns about the allocation of resources and priorities within law enforcement. Police departments have limited resources, both in terms of personnel and clearly in funding too. It’s important that they use these resources effectively to address the most serious and urgent crimes. In this case, it’s clear that the actions of the students does not constitute a serious or urgent crime that warrants the attention of law enforcement. While the company may have a right to pursue legal action against the students, it’s questionable whether the involvement of the police is necessary or appropriate.
There are many other crimes and issues that the police could be focusing on instead of pursuing this case. Even if not, the use of police resources to pursue cases like this can have a chilling effect on the efforts of security researchers and ethical hackers who are trying to identify and address vulnerabilities in systems and applications. If individuals fear that they will be punished or investigated for attempting to help, they may be less likely to report potential security flaws and vulnerabilities.
Another thing that is also it’s worth noting is that FreeHour, the app that the students hacked, should also be investigated for potential GDPR breaches. The General Data Protection Regulation (GDPR) is a European Union law that sets standards for data protection and privacy for individuals within the EU. If FreeHour has collected and stored personal data of its users, it is required to follow certain procedures and protocols to ensure the protection of that data.
If the students were able to access personal data during their testing, it’s possible that FreeHour was not in compliance with GDPR regulations. This could result in serious consequences, including fines and legal action. If FreeHour is found to have violated GDPR regulations, it would be important to hold them accountable for their actions.
The issue of bug bounties also comes into play when discussing this case. Bug bounties are programs offered by companies to incentivize ethical hackers to find and report vulnerabilities in their systems. While some companies offer significant rewards for finding and reporting vulnerabilities, others do not offer any compensation at all. This lack of compensation can discourage ethical hackers from reporting vulnerabilities, especially if they can make more money by selling the information on the black market.
With all this in mind, it’s essential to take cybersecurity seriously, and companies must take steps to ensure that their systems are secure. However, ethical hackers who are trying to help identify vulnerabilities should not be punished. Instead, companies should create policies and programs that incentivize ethical hacking and protect the individuals who report vulnerabilities. Additionally, companies should be held accountable for any potential GDPR violations and must take steps to ensure the privacy and protection of their users’ data.
Oh and one more thing, a quote that really fits this case and gives us something to learn from; “Ethical hackers are a valuable asset to society, and we need to do everything we can to protect them and encourage them to help us secure our systems.” – Kevin Mitnick, former black-hat hacker turned cybersecurity consultant and author.