Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins were scanning through the software of the app when they found a vulnerability they say could be exploited by malicious hackers.
They emailed their findings to FreeHour’s owner and asked for a reward – or ‘bug bounty’ – for spotting the mistake. But, instead of a payoff, the University of Malta students were arrested, strip-searched and had their computer equipment seized.
The students say that the vulnerability they uncovered could have meant the potential leak of the private data of the users of the app, which allows students to share their college timetable with friends.
Email addresses, location data and control of people’s Google calendars were all found to have been potentially vulnerable.
The computer science students claim that the vulnerability essentially allowed them to request whatever type of information they wanted from FreeHour’s servers.
They said the vulnerability also allowed them to make changes to the app’s interface which, on one occasion, they did to test if what they were seeing actually worked. Normally, a server would see a request for private data, check who is requesting it – in this case, it was the students – and deny access as the user does not have the required authorization. However, they say that every piece of data requested was authorized by the server and given.
Following the discovery, the group decided to send an e-mail to FreeHour on October 18 last year informing them of the vulnerability and urging them to fix it.
They also gave them a three-month deadline to secure the vulnerability before they would disclose it to the public. In the e-mail, they also mentioned that they may be able to claim a bug bounty for their efforts.
Bug bounties are prizes that companies offer when people notify them of mistakes or bugs in their software.
A month after sending the e-mail to FreeHour, Scerri, Grigolo and Debono were arrested from their homes and taken into custody where they were strip-searched and questioned.
When the police arrived, they had a warrant for their arrest under suspicion of unauthorized access. The warrant also included a police search which led to most of their tech and equipment being confiscated. The authorities told them that their items would be returned within several weeks but they are still waiting.
At the time of his cohort’s arrests in November, Collins was in England studying for his PhD. He was questioned when he returned to the country for Christmas.
During the interviews, they said the police questioned them as to whether the group had been given explicit permission from FreeHour to test the systems.
They argued that, as they had identified themselves to the server, which then gave them access to what they were requesting, they had therefore been given authorization.
The students are being investigated under Article 337 of the Criminal Code, which makes it illegal to access an application without being “duly authorized by an entitled person”.
The crime carries a punishment of up to four years in prison and a maximum fine of €23,293.
Universal Policing sent communication to police department to find more on this incident, The local police declined to answer any questions, citing ongoing investigations.