What the hack?! Unravelling the FreeHour ‘ethical hack’

Social media has been awash with comments following the revelation that the police arrested, strip-searched, and confiscated the machines of four computer science students who informed the company behind popular student app FreeHour about a security flaw that left users’ data unprotected.

On Wednesday (today), The Times reported that Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins are being investigated by police after FreeHour filed a report about their ‘hack’.

The students claim that the vulnerability could have leaked the private data of the app’s users, as it allowed them to request any information they wanted from FreeHour’s servers.

“In simple terms, every user is an admin without knowing it,” said Mr Collins.

In October 2022, the students emailed FreeHour to let them know of the vulnerability, giving them a three-month deadline to fix it if they did not want the information to become public.

The email provided proof of the vulnerability along with the suggested next steps: “These vulnerabilities pose a serious threat as they may result in not only the leak of your users’ data, but also a malicious actor violating the trust users have in your brand by launching phishing attacks through your platform. As is customary, you have three months to resolve these issues before we publicly disclose them. We would also be eligible for a bug bounty, as is industry practice.”

Instead, they were raided by police and are now under criminal investigation in a case that could see them imprisoned for up to four years and fined €23,293.

FreeHour has argued that it was legally obliged to report the incident to the Cyber Crime Unit within the Malta Police Force and the Information and Data Protection Commissioner.

BusinessNow.mt reached out to a qualified information security specialist, who preferred not to be named, who lamented Malta’s lack of safe harbour provisions – laws which protect ethical hackers and cater for the finding and reporting of cyber vulnerabilities

He also disagreed with the company’s claim that they were obliged to report the incident to authorities.

“It depends all on whether the students accessed and, if applicable, the manner in which they managed to compromise FreeHour’s systems,” he says. “From the information posted on the media, it is clear that they had done some sort of checks to validate whether the vulnerability that they discovered was indeed an actual vulnerability (not a false positive). They did so with the express intention to validate their claims, not to compromise their systems.”

He notes that the case shines a light on FreeHour’s “probable lack of a proper incident response procedures”.

He says that this is a “really interesting case”, made more complicated by the fact that the students did not seem to obtain proper permission from FreeHour to test for vulnerabilities in its system.

The police also came in for criticism: “The police action, in this case, may have been in accordance with the law, but the application is clearly excessive and, in my opinion, warranted more checks and oversight before proceeding – including an evaluation of the public blowback over a case like this.”

He concludes that one major question remains: “If within 24 hours of your investigation, you see that no user data was compromised… why did it need to be reported to the IDPC and Cyber Crime Unit?”

Meanwhile, a source familiar with the incident, speaking to BusinessNow.mt, explains that the hack was found through network analysis.

“However, a proof of concept has to be supplied for the vulnerability to be taken seriously,” he continues.

The source, who was not directly involved in the hack, declined to comment on “to what extent the proof of concept was taken”.

He said: “FreeHour were sending data to the client that should not have been sent. It is just bewildering how stupid it was.”

Online reactions

Ian Gauci, managing partner at leading law firm GTG Advocates, took to LinkedIn to comment on the news.

Describing it as “a sad situation”, Dr Gauci explained that Malta does not have ‘safe harbour’ provisions protecting .

The European Union Agency for Cybersecurity (ENISA) Good Practice Guide on Vulnerability Disclosure Stresses, the OECD’s recommendations, and ISO criteria for software vulnerability discovery and disclosure are also ignored by Malta.

“Let’s also not forget that the EU also has Certified Ethical Hacker qualification,” he continued, “and even in USA, the Department of Justice announced a change in its policy for pressing charges against hackers under the Computer Fraud and Abuse Act (CFAA). The federal agency said it would no longer charge ethical or white hat hackers, i.e., those involved in ‘good-faith security research’.”

Dr Galea continued: “ Albeit the existing shortcoming in our law, I still contend the magistrates in Malta, for the case at hand, can assess the totality of the scenario and case at hand including intrinsic criteria, example: whether the action was necessary/vital and whether the requirements of proportionality and subsidiarity have been met in this case. I also sincerely hope that the law is amended so that ethical hackers are not prosecuted, CVD becomes more prevalent and regulated and thus we minimise risks, for customers, businesses, and critical infrastructures, making sure that vulnerability are best fixed before users are impacted by them.”

Meanwhile, Yanica Sant, group legal director (regulatory) at gambling firm 888 William Hill, described the situation as “bizarre”.

“Malta, a service-based country, has consistently tried to incentivise students to take up IT, in order to address the glaring skill gap that negatively impacts the same industries it seeks to draw to the country, only to arrest those students when they’re too good at it.”

“What a waste of talent and police resources.”

FreeHour response

In a video released on Instagram in response to the media buzz about the story, FreeHour founder and CEO Zach Ciappara stated that after receiving the students’ email, the company immediately spoke to its developers to fix the flaw.

Mr Ciappara again said that no data was compromised and within 24 hours a patch was released “to make sure everyone’s data is secure”.

“As a tech company when someone manages to gain access to your backend and exposes a vulnerability that puts the data of users at risk there is a very serious legal obligation to report to authorities.”

He said it was “very clear” that under GDPR law, the company “had to make this report”.

“Our intent – and this is very genuine –was to cover us legally. We would be breaking the law if we did not report.”

“Our intent was never to get these students in trouble or go after them.”