On the 19th of October 2022, four students emailed FreeHour to highlight a security vulnerability on FreeHour’s backend.
The students also altered text on main sections of the app, visibly public to our users for a short time, whilst also highlighting how user profiles could be accessed. We now understand that this was only done to prove the vulnerability, however this was alarming to us at the time.
They also specified that FreeHour had 90 days to react before they would go public, and that they were eligible for payment to compensate them for their work.
Given the information at hand, this had us questioning whether or not FreeHour was being threatened, therefore we consulted legally to get guidance on how this matter should be handled.
Due to the mention of payment, changes to the app’s front end & a 90 day ultimatum, FreeHour was legally advised to report this to the Police as a potential threat. We also had a responsibility to inform Malta’s Data Protection Authority (IDPC) within 48 hours, which we did.
At the time, FreeHour was legally advised not to contact the students at all and received no updates on how the investigation was unfolding.
After hearing the four students’ perspective over the past few days and understanding their intentions, it has become clearer that there was no malicious intent.
FreeHour is now exploring ways it can take action to help the four students, including reaching out to the relevant authorities to communicate that the students’ intent has now become clear, and that this needs to be recognised & taken into consideration.
This was unclear upon receiving the email in October - which is what led FreeHour to filing the report.
Whilst FreeHour has no direct say on the case, since it is not the one pressing charges, we are confident that these efforts will have a significant impact on the outcome for the students.
This episode has brought to light that Malta’s legislation on cybercrime may need to be looked at and possibly updated to reflect current realities, especially with regards to these forms of data breaches and with ‘vulnerability disclosure’.
Whilst bounty payments are the norm for ethical hacking in other countries, FreeHour has never launched a Bug Bounty programme which would offer developers monetary compensation for finding security flaws.
Malta’s current legislation here, last updated in 2001, does not provide for an exception for this practice and this was made clear through what happened to the four students.
FreeHour is committed to lobby for a change in policy on how ‘vulnerability disclosure’ is treated by the authorities in Malta. FreeHour also believes that public debate is needed to alert policymakers about current realities and how these should be catered for.
Since the incident, FreeHour shifted focus to addressing the vulnerabilities that the students exposed with our third party software development company with immediate effect.
While FreeHour has always placed efforts in ensuring user data protection, this incident has highlighted how there is still a lot more to be done to prevent potential vulnerabilities. Here, FreeHour is committed to seriously increasing its efforts in protecting users’ data, as this is evidently needed.
FreeHour has subsequently engaged cyber security experts to assist in ensuring a robust security framework for FreeHour App, and is committed to doing so on an ongoing basis.
We are also willing to work with the four students to assist in improved security, and to implement new measures. Moreover, we are undergoing internal training in INFOSEC, GDPR and data integrity.
We understand, however, that your trust in the FreeHour App may have been jeopardised. If you have any questions about your account or wish to have it deleted, kindly contact us on hello@freehour.eu
