2022 FreeHour ethical hacking case

The 2022 FreeHour ethical hacking case refers to a legal and cybersecurity controversy in Malta involving three University of Malta computer science students – Michael Debono, Giorgio Grigolo, and Luke Bjorn Scerri – and their lecturer, Mark Joseph Vella. The group identified critical security vulnerabilities in FreeHour, Malta’s most popular student timetable management application, and reported them to the company through ethical hacking practices. Instead of receiving recognition or a standard "bug bounty" reward, the students faced criminal charges under Malta’s Computer Misuse Act, sparking national debates about cybersecurity laws, academic freedom, and ethical hacking protections.^[1]^[2]^[3]

Background

Freehour

Developed by entrepreneur Zach Ciappara, FreeHour became Malta’s dominant student app by 2022, with features for class scheduling, social event organization, and university resource sharing. Its rapid adoption by over 90% of Maltese tertiary students made it a critical piece of educational infrastructure. However, the app’s technical architecture had not undergone independent security auditing prior to the incident.^[4]^[3]

Ethical Hacking Context

Ethical hacking, or "white hat" security research, involves proactively identifying system vulnerabilities to prevent malicious exploitation. International tech companies like Google and Microsoft operate formal bug bounty programs, offering financial rewards and legal protections to researchers who follow responsible disclosure protocols. Malta lacked specific safe harbor laws for ethical hackers in 2022, leaving researchers vulnerable to prosecution under broad computer crime statutes.^[4]^[3]

Discovery of Vulnerabilities

In October 2022, during a routine cybersecurity exercise, the students identified multiple critical flaws in FreeHour’s API architecture. Forensic analysis revealed:

Unauthenticated Endpoints: Certain administrative API routes lacked proper authentication checks, allowing any user to execute privileged operations.^[4]
Data Exposure: User records including phone numbers, email addresses, and class schedules could be retrieved through parameter manipulation.^[4]^[5]
Injection Vulnerabilities: Missing input sanitization enabled potential SQL and command injection attacks^[4].

To validate their findings, Grigolo temporarily modified a non-essential app feature, immediately reverting it after capturing proof-of-concept evidence. The group documented their methodology and prepared a disclosure report following ISO/IEC 29147 guidelines for vulnerability handling^[1]^[3]^[6].

Disclosure and Initial Response

On October 15, 2022, the students emailed FreeHour’s founder detailing the vulnerabilities, accompanied by:

Technical documentation of the flaws
Step-by-step reproduction guides
Recommended mitigation strategies
A request for a bug bounty payment commensurate with industry standards

Lecturer Mark Vella proofread the disclosure email but did not participate in the technical research. FreeHour’s legal team responded by filing a criminal complaint with the Malta Police Cybercrime Unit on October 18, invoking Article 337 of Malta’s Criminal Code regarding unauthorized computer access.^[1]^[4]^[5]

Legal Proceedings

Arrests and Charges

On November 3, 2022, armed police conducted simultaneous raids on the students’ residences:

All electronic devices (laptops, phones, IoT devices) were seized
Subjects underwent strip searches at police headquarters
Initial 48-hour detention without access to legal counsel^[1]^[4]^[5]^[7]

References

^ ^a ^b ^c ^d Galdes, Marc (2025-03-05). "Three students and lecturer charged with hacking popular student app". Times of Malta. Retrieved 2025-03-12.
^ Malta, Times of (2025-03-11). "Cabinet recommends presidential pardon for student ethical hacking case". Times of Malta. Retrieved 2025-03-12.
^ ^a ^b ^c ^d Balzan, Jurgen. "Ethical hackers charged with unauthorised access to FreeHour app - Newsbook". newsbook.com.mt. Archived from the original on 2025-03-06. Retrieved 2025-03-12.
^ ^a ^b ^c ^d ^e ^f ^g Fenech, Robert (2023-04-12). "What the hack?! Unravelling the FreeHour 'ethical hack'". BusinessNow.mt. Retrieved 2025-03-12.
^ ^a ^b ^c "Lecturer and three students charged with hacking Malta's largest student app". MaltaToday.com.mt. Retrieved 2025-03-12.
^ Agius, Monique. "White hat hackers to face criminal proceedings next year - Newsbook". newsbook.com.mt. Archived from the original on 2024-08-30. Retrieved 2025-03-12.
^ "Three IT students and their lecturer to face charges after disclosing security flaw in student app - The Malta Independent". Retrieved 2025-03-12.

[:0-1] Galdes, Marc (2025-03-05). "Three students and lecturer charged with hacking popular student app". Times of Malta. Retrieved 2025-03-12.

[2] Malta, Times of (2025-03-11). "Cabinet recommends presidential pardon for student ethical hacking case". Times of Malta. Retrieved 2025-03-12.

[:1-3] Balzan, Jurgen. "Ethical hackers charged with unauthorised access to FreeHour app - Newsbook". newsbook.com.mt. Archived from the original on 2025-03-06. Retrieved 2025-03-12.

[:2-4] ^ ^a ^b ^c ^d ^e ^f ^g Fenech, Robert (2023-04-12). "What the hack?! Unravelling the FreeHour 'ethical hack'". BusinessNow.mt. Retrieved 2025-03-12.

[:3-5] "Lecturer and three students charged with hacking Malta's largest student app". MaltaToday.com.mt. Retrieved 2025-03-12.

[6] Agius, Monique. "White hat hackers to face criminal proceedings next year - Newsbook". newsbook.com.mt. Archived from the original on 2024-08-30. Retrieved 2025-03-12.

[7] "Three IT students and their lecturer to face charges after disclosing security flaw in student app - The Malta Independent". Retrieved 2025-03-12.

[1]

[2]

[3]

[4]

[5]

[6]

[7]