Much has been said and written about the FreeHour story, but I think this article by Robert Fenech sums it up really well. Fenech notes correctly, that despite the fact that FreeHour Mata was aware that no data was breached, they still went ahead and filed a report with the authorities. The reaction of the authorities was also excessive, despite being told that no data was breached, so the end result of a court case is nonsensical. Hopefully, this story will also convince lawmakers to change the law. Since then, FreeHour has also regretted its action and is trying to control the fallout.
What’s also important to note is that the students always acted in good faith, which can also be proved by the email they sent to FreeHour. Clearly, the students never made any threats or asked for any money, but they politely noted that bounties are a customary practice in this trade, which is true. It’s like when someone finds your lost dog and returns it, and of course, you aren’t obliged to pay the rescuer any money, but it would be polite and appreciative of you to do so.
Thanks to these computer science students, students’ data handled by FreeHour is safer, so they deserve a good shout-out. Their names are Luke Bjorn Scerri, Luke Collins, Michael Debono and Giorgio Grigolo.
|Subject: Freehour app is not secure|
|From: Luke Bjorn Scerri <email@example.com>|
|Date: 19/10/2022, 16:36|
|To: “firstname.lastname@example.org” <email@example.com>, “Zach Ciappara” <firstname.lastname@example.org>, email@example.com|
|CC: Luke Collins <firstname.lastname@example.org>, Michael Debono <email@example.com>, Giorgio Grigolo <firstname.lastname@example.org>|
To whomever this may concern,
I am writing to you on behalf of the University of Malta Capture the Flag Team. We are a group of Science and ICT students interested in cyber-security and we do vulnerability research in our free time.
What are CTFs?
The app was found to be vulnerable to several exploits with severe consequences.List of issues (most severe first)
Some technical examples
- Changing content displayed by the app for all users:
- Disclosure of personal information
Here’s one user from the response as an example, notice the sensitive information (which belongs to one one of the members of our team):
These vulnerabilities pose a serious threat as they may result in not only the leak of your users’ data, but also a malicious actor violating the trust users have in your brand by launching phishing attacks through your platform. As is customary, you have three months to resolve these issues before we publicly disclose them. We would also be eligible for a bug bounty, as is industry practice.Changing the subject, as previously stated, we are interested in cyber-security and will be hosting free workshops and a competition throughout the academic year to help inform students on how to secure themselves as both users and online professionals. We would be grateful if you could provide us with an audience of stem students.Note: We have restored the app to its original state very shortly after we took the demonstration footage. Attached to this email is a short video and a picture just to show our ability to change content displayed by the app.
We look forward to your prompt reply.
Thank you and best regards,