Students arrested, investigated after warning FreeHour of security issue

The police are investigating four computer science students after they flagged a security issue in FreeHour, Malta’s most popular app for students.

In October, the students scanned the application, found a vulnerability and shared their findings with FreeHour owner Zach Ciappara.

They asked for a reward, as is industry practice, and gave FreeHour a three-month deadline to fix the security issue before they would make it public.

But, instead of receiving a reward, the University of Malta students were arrested, strip-searched and had their computer equipment seized.

The students said that the app granted any user access to any information stored on FreeHour’s servers.

“In simple terms, every user is an admin without knowing it”, Luke Collins, one of the four students explained.

‘No data compromised’

Zach Ciappara said that no data was compromised and his developers fixed the issue within 24 hours “to make sure everyone’s data is secure”.

He said his company was legally obliged to report the incident to the Cyber Crime Unit and to the Information and Data Protection Commissioner.

“Our intent was to cover ourselves legally; if we hadn’t filed a report we would have been breaking the law ourselves. Our intent was never to get these students in trouble or to go after them directly”, Ciappara said.

FreeHour is partly owned by Lovin Malta.

KSU pledges to cover legal expenses

The Council of University Students (KSU) expressed its disappointment that the four students were arrested for their efforts.

“KSU will be approaching the students to cover any legal expenses they may incur”, its President Alexandra Gaglione told Times of Malta.

She said it is frustrating to see “outdated laws be misapplied” in “overly swift action” taken by the police.

Political reactions

Political party Volt has called for the introduction of good samaritan laws for ethical hacking.

“It is clear that the intention of the youths was in the interest of the public good”, the party said.

“This is not a normal country”, PN MP Adrian Delia commented on the investigation, and noted that FreeHour failed to fulfil its obligation to inform its users of the potential breach.