Hungarian teen arrested for exposing major security flaw in public transit website

Cal Jeffrey

Cal Jeffrey

Posts: 4,178   +1,424
Staff member

Many companies reward ethical hackers who report bugs and security flaws to them, but not in Hungary. An 18-year-old Hungarian man was arrested after finding an exploit in a poorly coded website and reporting it to the owner. The site belongs to Budapesti Közlekedési Központ (BKK), which is Budapest’s public transportation authority. One of the functions of the website was to sell tickets, and that was the page where the bug was found.

The teen had discovered that he could alter ticket prices just by changing them in the source code using the browser’s developer tools. He then ordered a $35 ticket for $0.20. The purchase went through because BKK's system had no validation procedures in place on the client or the server side. So the flaw did not even require any real hacking.

After he had discovered the flaw, he contacted BKK to let them know about it. However, instead of thanking him and fixing the poor coding, they called the police and filed a complaint that he had “hacked” their systems. The police went to the man’s residence and arrested him in the middle of the night, even though he never used or even received the ticket and didn’t live near Budapest.

As if they had accomplished something truly noble, BKK held a press conference bragging about how they had thwarted a “cyber attack” and caught the hacker. When word got out that the hacker was a white hat and had tried to warn the company about the flaw, the storm on Twitter was furious. People scolded, cursed, and sarcastically congratulated @bkkbudapest. There is also talk of protests being organized.

Additionally, the company now has a one-star rating on its Facebook page thanks to thousands of people flocking to it to give them one-star reviews. Currently, the page has 46,000 one-star ratings. Judging by the total number of reviews (only 222 five-star ratings), this is a deficit that BKK will never recover from without creating a new page.

“Learn to validate server side, you noobs,” said one review. “What were you guys thinking?”

During its presser, BKK claimed that it had “secured” its systems. Of course, angry white hats immediately scrutinized the site and started pointing out other flaws. One Twitter user even called the website’s security “a goddamn train wreck.” The BKK site is currently down.

Hungarian IT company, T-Systems has a million dollar contract with BKK and is responsible for the website. The company has not received as much criticism as the transportation authority, but it has received some backlash on social media. Ironically, according to the company’s own website, it has sponsored ethical hacking contests in the past. Since the news broke of this wrongful arrest of an ethical hacker, the company has taken the page down, but thanks to the Internet Archive, nothing is ever really deleted.

The incident causes one to wonder if there shouldn’t be protections in place for ethical hacking. Should there be laws to protect someone from prosecution if all they were doing was trying to point out a bug in a piece of software or a website? Even though common sense seems to dictate that we should not need them, we do have Good Samaritan laws to protect us from lawsuits and prosecution when trying to save someone’s life. Why shouldn’t we enact similar legislation to protect Cyber-Samaritans?

Permalink to story.

https://www.techspot.com/news/70260-hungarian-teen-arrested-exposing-major-security-flaw-public.html

 
Hope the kid is alright. Well lets see what happens in the next few days. I hope the employees and official that handled this case of misinformation will be thrown out. Yeah declare it as a cyberattack and blame it on the kid.
 
Cal Jeffrey said:
I don't know, but I would say that pissing off the ethical hacking community is probably not a good business move.
Click to expand...
it's the best way to actually get hacked and even the most stupid IT specialist (security credentials not required) will tell you that :D
and what happened afterwards proves that.
 
I think it would be safe to assume that a) this is definitely not over, that they will a) have a huge issue securing a new IT company to actually make a new site, b) it will be extremely expensive, c) they will have to create some sort of nsa-type-secure site now, else they will never be able to rest.
 
  • Like
Reactions: Cal Jeffrey and Tanstar
Tanstar said:
Are you sure you replied to the correct story?
Click to expand...
Yup, it's the correct one. I suppose I could have worded it better.

I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
 
stewi0001 said:
Yup, it's the correct one. I suppose I could have worded it better.

I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
Click to expand...
Gotcha, I read it like you were referring to the guy that reported the problem.
 
stewi0001 said:
Yup, it's the correct one. I suppose I could have worded it better.
Click to expand...
Well Stew, you have take the time to establish a "frame of reference".. You can't simply let readers hanging on sentences floating in midair. Are those, "dangling participles"? Probably not, but I had that phrase pounded into my head during my school daze, and felt the time was right to, "pay it forward", as it were. :rolleyes:

stewi0001 said:
I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
Click to expand...
Now see, I was closer than many. My guess was you were trashing the CEO of the transit company.

In any case, always establish a frame of reference with your posts. Take my posts as an example. I'm usually so far off topic it's frightening. However, Everyone seems to be able to determine what I'm talking about, and it infuriates them! (y) Mission accomplished.. :cool:
 
  • Like
Reactions: Cal Jeffrey and stewi0001
captaincranky said:
Well Stew, you have take the time to establish a "frame of reference".. You can't simply let readers hanging on sentences floating in midair. Are those, "dangling participles"? Probably not, but I had that phrase pounded into my head during my school daze, and felt the time was right to, "pay it forward", as it were. :rolleyes:

Now see, I was closer than many. My guess was you were trashing the CEO of the transit company.

In any case, always establish a frame of reference with your posts. Take my posts as an example. I'm usually so far off topic it's frightening. However, Everyone seems to be able to determine what I'm talking about, and it infuriates them! (y) Mission accomplished.. :cool:
Click to expand...

You know how they say don't drink and drive? I guess for me it's don't be zoned in writing code and go on Techspot and write comments ;)
 
  • Like
Reactions: Cal Jeffrey
You must log in or register to reply here.

Similar threads

midian182
That one time when beer ads were inserted directly into Star Wars movies, and George Lucas...
Replies
9
Views
198
kiwigraeme
K
midian182
Apex Legends tournament postponed after players hacked mid-match
Replies
0
Views
91
midian182
midian182
midian182
Elon Musk says X will introduce an annual fee for new users to like, post, bookmark, and reply
Replies
15
Views
120
brucek
brucek

Latest posts

Back