Jump to content

2022 FreeHour ethical hacking case

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Pichemist (talk | contribs) at 07:26, 12 March 2025 (Discovery of Vulnerabilities). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The 2022 FreeHour ethical hacking case refers to a legal and cybersecurity controversy in Malta involving three University of Malta computer science students – Michael Debono, Giorgio Grigolo, and Luke Bjorn Scerri – and their lecturer, Mark Joseph Vella. The group identified critical security vulnerabilities in FreeHour, Malta’s most popular student timetable management application, and reported them to the company through ethical hacking practices. Instead of receiving recognition or a standard "bug bounty" reward, the students faced criminal charges under Malta’s Computer Misuse Act, sparking national debates about cybersecurity laws, academic freedom, and ethical hacking protections.[1][2][3]

Background

Freehour

Developed by entrepreneur Zach Ciappara, FreeHour became Malta’s dominant student app by 2022, with features for class scheduling, social event organization, and university resource sharing. Its rapid adoption by over 90% of Maltese tertiary students made it a critical piece of educational infrastructure. However, the app’s technical architecture had not undergone independent security auditing prior to the incident.[4][3]

Ethical Hacking Context

Ethical hacking, or "white hat" security research, involves proactively identifying system vulnerabilities to prevent malicious exploitation. International tech companies like Google and Microsoft operate formal bug bounty programs, offering financial rewards and legal protections to researchers who follow responsible disclosure protocols. Malta lacked specific safe harbor laws for ethical hackers in 2022, leaving researchers vulnerable to prosecution under broad computer crime statutes.[4][3]

Discovery of Vulnerabilities

In October 2022, during a routine cybersecurity exercise, the students identified multiple critical flaws in FreeHour’s API architecture. Forensic analysis revealed:

  1. Unauthenticated Endpoints: Certain administrative API routes lacked proper authentication checks, allowing any user to execute privileged operations.[4]
  2. Data Exposure: User records including phone numbers, email addresses, and class schedules could be retrieved through parameter manipulation.[4][5]
  3. Injection Vulnerabilities: Missing input sanitization enabled potential SQL and command injection attacks[4].

To validate their findings, Grigolo temporarily modified a non-essential app feature, immediately reverting it after capturing proof-of-concept evidence. The group documented their methodology and prepared a disclosure report following ISO/IEC 29147 guidelines for vulnerability handling[1][3][6].

References

  1. ^ a b Galdes, Marc (2025-03-05). "Three students and lecturer charged with hacking popular student app". Times of Malta. Retrieved 2025-03-12.
  2. ^ Malta, Times of (2025-03-11). "Cabinet recommends presidential pardon for student ethical hacking case". Times of Malta. Retrieved 2025-03-12.
  3. ^ a b c d Balzan, Jurgen. "Ethical hackers charged with unauthorised access to FreeHour app - Newsbook". newsbook.com.mt. Archived from the original on 2025-03-06. Retrieved 2025-03-12.
  4. ^ a b c d e Fenech, Robert (2023-04-12). "What the hack?! Unravelling the FreeHour 'ethical hack'". BusinessNow.mt. Retrieved 2025-03-12.
  5. ^ "Lecturer and three students charged with hacking Malta's largest student app". MaltaToday.com.mt. Retrieved 2025-03-12.
  6. ^ Balzan, Jurgen. "Ethical hackers charged with unauthorised access to FreeHour app - Newsbook". newsbook.com.mt. Archived from the original on 2025-03-06. Retrieved 2025-03-12.
Retrieved from "https://en.wikipedia.org/w/index.php?title=2022_FreeHour_ethical_hacking_case&oldid=1280062674"