Much has been said and written about the FreeHour story, but I think this article by Robert Fenech sums it up really well. Fenech notes correctly, that despite the fact that FreeHour Mata was aware that no data was breached, they still went ahead and filed a report with the authorities. The reaction of the authorities was also excessive, despite being told that no data was breached, so the end result of a court case is nonsensical. Hopefully, this story will also convince lawmakers to change the law. Since then, FreeHour has also regretted its action and is trying to control the fallout.
What’s also important to note is that the students always acted in good faith, which can also be proved by the email they sent to FreeHour. Clearly, the students never made any threats or asked for any money, but they politely noted that bounties are a customary practice in this trade, which is true. It’s like when someone finds your lost dog and returns it, and of course, you aren’t obliged to pay the rescuer any money, but it would be polite and appreciative of you to do so.
Thanks to these computer science students, students’ data handled by FreeHour is safer, so they deserve a good shout-out. Their names are Luke Bjorn Scerri, Luke Collins, Michael Debono and Giorgio Grigolo.
| Subject: Freehour app is not secure |
| From: Luke Bjorn Scerri <l******@um.edu.mt> |
| Date: 19/10/2022, 16:36 |
| To: “hello@freehour.eu” <hello@freehour.eu>, “Zach Ciappara” <z******@freehour.eu>, z******@gmail.com |
| CC: Luke Collins <l******@um.edu.mt>, Michael Debono <m******@um.edu.mt>, Giorgio Grigolo <g******@um.edu.mt> |
To whomever this may concern,
I am writing to you on behalf of the University of Malta Capture the Flag Team. We are a group of Science and ICT students interested in cyber-security and we do vulnerability research in our free time.
What are CTFs?
The app was found to be vulnerable to several exploits with severe consequences.List of issues (most severe first)
- (redacted)
- (redacted)
- (redacted)
- (redacted)
- (redacted)
- (redacted)
Some technical examples
- Changing content displayed by the app for all users:
- (redacted)
- Disclosure of personal information
- (redacted)
Here’s one user from the response as an example, notice the sensitive information (which belongs to one one of the members of our team):
(redacted)
Next steps
These vulnerabilities pose a serious threat as they may result in not only the leak of your users’ data, but also a malicious actor violating the trust users have in your brand by launching phishing attacks through your platform. As is customary, you have three months to resolve these issues before we publicly disclose them. We would also be eligible for a bug bounty, as is industry practice.Changing the subject, as previously stated, we are interested in cyber-security and will be hosting free workshops and a competition throughout the academic year to help inform students on how to secure themselves as both users and online professionals. We would be grateful if you could provide us with an audience of stem students.Note: We have restored the app to its original state very shortly after we took the demonstration footage. Attached to this email is a short video and a picture just to show our ability to change content displayed by the app.
We look forward to your prompt reply.
Thank you and best regards,
I don’t agree with the statement “Clearly, the students never made any threats”, since the email specifically says “As is customary, you have three months to resolve these issues before we publicly disclose them”.
It’s a threat used to alert Freehours’ users to the fact they could be vulnerable to being hacked, sure, but it’s still a threat. Then they follow it up by claiming they are due monetary re-compensation. They refer to customs and industry practices to justifying these statements, but these aren’t things set in law (definitely not Maltese law of course).
In hindsight we can say the students posed no actual malicious intention, but if I received an email out of the blue that is vaguely threatening to my business and my users’ data and possibly implying blackmail I’d probably would have reacted the same. I don’t condone the police reaction, but that’s more of an indictment of our police force and legal system than of Freehour.
This may be a crude metaphor, but to me it’s like seeing that your neighbor has their garden door open; and instead of delivering a letter saying “Your back door is open, be careful” to their letter box, you break into their house and leave it on their kitchen table.
Too much of the public’s backlash has been directed at the chief executive officer (CEO) of Free Hour. The real ire should be aimed at the police. Instead of being pragmatic and serving as low-key intermediaries between the two sides (similar to when the police break up a small, senseless fight and send everyone home without charging anyone with a crime), they came down like a tonne of bricks on four slightly naïve students who look like they rarely see the sun shine, and are probably dreaming of being in Silicon Valley.
To be clear, the students did nothing morally wrong, but they did hack an app, write an email with a vaguely threatening ultimatum, and ask for a bounty. Yes, it is white hacking and ‘normal industry practice’, but none of it is explicitly supported by Maltese law. Zach Ciappara (Free Hour’s CEO) is still in his early 20s and has obviously never had to deal with a situation like this. It is not, therefore, entirely surprising that his first reaction was ‘to protect the business’ and let the police deal with it. Even if we all agree, in retrospect, that he made the wrong call, we can still understand the logic that led him to make the decision he did. Going to the police must have felt like a safe option.
On the other hand, the police deserve no sympathy. They strip-searched the students (seriously, why?) and, worse, confiscated their devices, possibly throwing their studies into chaos, as theses and assignment deadlines approach (students may have some documents saved only on one device to avoid data leaks, or they may be using specific software which they have only been licensed to run on a single device).
One would have expected the police to be the ‘adults in the room’ and solve the dispute and any misunderstandings without arresting anyone or disrupting lives. However, for this to happen, the police would have to be educated, intelligent, sensible and acting in good faith. As Mark Camilleri has so clearly pointed out in many of this blog’s posts, several senior police officers are ill-educated, racist, homophobic, misogynistic, and owe their post to being lackeys of the Labour Party.
The police may very well have got sadistic pleasure from ‘violating’ these four deer caught in the headlights; because bullying is only fun when the prey is weak and won’t fight back (which is why rapists, fraudsters, cocaine dealers and corrupt politicians keep walking around unmolested by the police, while bookish types, like authors, journalists and students, get investigated with speed and ferocity; in Labour logic, to be intellectual is to be weak, because strongmen and women carry a baton or a gun, not a pen or keyboard).
The Free Hour saga is, I believe, an unfortunate one in which a youthful CEO was in over his head, and even more youthful students have ended up being punished for doing a good deed. The real culprits of the story are the police. By giving lots of attention to Zach Ciappara’s actions, we do the police a favour by moving the spotlight off them. Reporting behaviour which seems compromising or suspicious is not wrong, even if the behaviour turns out to be innocent. It is the police’s responsibility, then, to act appropriately, displaying good faith, diligence, sensitivity, care, pragmatism and intelligence.
Sorry if I sound crude but there is no other way to describe your lengthy rant on the police as rubbish. If a report is made the police have no choice but to follow their procedure. Unless of course the person reported belongs to the JM group of friends.
So the real idiot is freehour or this Zack who by the way I’m sure he knows that in this business he has tested vulnerabilities of competitors sites for example.
Someone did some very expensive penetration testing for Freehour at zero cost. Freehour was not obliged or forced to pay. Freehour was obliged to fix their cheap crap app that people trusted. Three months is more than plenty. Those who found the vulnerability were on the contrary required by law to report it. This is not their home but their hotel which was unsafe for public use. Get the difference before commenting.
See my reply to your buddy here below. It applies to you too.