Hungarian teen arrested for exposing major security flaw in public transit website

Cal Jeffrey

TS Evangelist
Staff member

Many companies reward ethical hackers who report bugs and security flaws to them, but not in Hungary. An 18-year-old Hungarian man was arrested after finding an exploit in a poorly coded website and reporting it to the owner. The site belongs to Budapesti Közlekedési Központ (BKK), which is Budapest’s public transportation authority. One of the functions of the website was to sell tickets, and that was the page where the bug was found.

The teen had discovered that he could alter ticket prices just by changing them in the source code using the browser’s developer tools. He then ordered a $35 ticket for $0.20. The purchase went through because BKK's system had no validation procedures in place on the client or the server side. So the flaw did not even require any real hacking.

After he had discovered the flaw, he contacted BKK to let them know about it. However, instead of thanking him and fixing the poor coding, they called the police and filed a complaint that he had “hacked” their systems. The police went to the man’s residence and arrested him in the middle of the night, even though he never used or even received the ticket and didn’t live near Budapest.

As if they had accomplished something truly noble, BKK held a press conference bragging about how they had thwarted a “cyber attack” and caught the hacker. When word got out that the hacker was a white hat and had tried to warn the company about the flaw, the storm on Twitter was furious. People scolded, cursed, and sarcastically congratulated @bkkbudapest. There is also talk of protests being organized.

Additionally, the company now has a one-star rating on its Facebook page thanks to thousands of people flocking to it to give them one-star reviews. Currently, the page has 46,000 one-star ratings. Judging by the total number of reviews (only 222 five-star ratings), this is a deficit that BKK will never recover from without creating a new page.

“Learn to validate server side, you noobs,” said one review. “What were you guys thinking?”

During its presser, BKK claimed that it had “secured” its systems. Of course, angry white hats immediately scrutinized the site and started pointing out other flaws. One Twitter user even called the website’s security “a goddamn train wreck.” The BKK site is currently down.

Hungarian IT company, T-Systems has a million dollar contract with BKK and is responsible for the website. The company has not received as much criticism as the transportation authority, but it has received some backlash on social media. Ironically, according to the company’s own website, it has sponsored ethical hacking contests in the past. Since the news broke of this wrongful arrest of an ethical hacker, the company has taken the page down, but thanks to the Internet Archive, nothing is ever really deleted.

The incident causes one to wonder if there shouldn’t be protections in place for ethical hacking. Should there be laws to protect someone from prosecution if all they were doing was trying to point out a bug in a piece of software or a website? Even though common sense seems to dictate that we should not need them, we do have Good Samaritan laws to protect us from lawsuits and prosecution when trying to save someone’s life. Why shouldn’t we enact similar legislation to protect Cyber-Samaritans?

Permalink to story.

 

Kenrick

TS Evangelist
Hope the kid is alright. Well lets see what happens in the next few days. I hope the employees and official that handled this case of misinformation will be thrown out. Yeah declare it as a cyberattack and blame it on the kid.
 

Puiu

TS Evangelist
I don't know, but I would say that pissing off the ethical hacking community is probably not a good business move.
it's the best way to actually get hacked and even the most stupid IT specialist (security credentials not required) will tell you that :D
and what happened afterwards proves that.
 

Kibaruk

TechSpot Paladin
I think it would be safe to assume that a) this is definitely not over, that they will a) have a huge issue securing a new IT company to actually make a new site, b) it will be extremely expensive, c) they will have to create some sort of nsa-type-secure site now, else they will never be able to rest.
 

stewi0001

TS Evangelist
Platinum
Are you sure you replied to the correct story?
Yup, it's the correct one. I suppose I could have worded it better.

I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
 

Tanstar

TS Evangelist
Yup, it's the correct one. I suppose I could have worded it better.

I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
Gotcha, I read it like you were referring to the guy that reported the problem.
 

captaincranky

TechSpot Addict
Yup, it's the correct one. I suppose I could have worded it better.
Well Stew, you have take the time to establish a "frame of reference".. You can't simply let readers hanging on sentences floating in midair. Are those, "dangling participles"? Probably not, but I had that phrase pounded into my head during my school daze, and felt the time was right to, "pay it forward", as it were. :rolleyes:

I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
Now see, I was closer than many. My guess was you were trashing the CEO of the transit company.

In any case, always establish a frame of reference with your posts. Take my posts as an example. I'm usually so far off topic it's frightening. However, Everyone seems to be able to determine what I'm talking about, and it infuriates them! (y) Mission accomplished.. :cool:
 

stewi0001

TS Evangelist
Platinum
Well Stew, you have take the time to establish a "frame of reference".. You can't simply let readers hanging on sentences floating in midair. Are those, "dangling participles"? Probably not, but I had that phrase pounded into my head during my school daze, and felt the time was right to, "pay it forward", as it were. :rolleyes:

Now see, I was closer than many. My guess was you were trashing the CEO of the transit company.

In any case, always establish a frame of reference with your posts. Take my posts as an example. I'm usually so far off topic it's frightening. However, Everyone seems to be able to determine what I'm talking about, and it infuriates them! (y) Mission accomplished.. :cool:
You know how they say don't drink and drive? I guess for me it's don't be zoned in writing code and go on Techspot and write comments ;)
 
  • Like
Reactions: Cal Jeffrey