1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Hungarian teen arrested for exposing major security flaw in public transit website

By Cal Jeffrey ยท 11 replies
Jul 24, 2017
Post New Reply
  1. Many companies reward ethical hackers who report bugs and security flaws to them, but not in Hungary. An 18-year-old Hungarian man was arrested after finding an exploit in a poorly coded website and reporting it to the owner. The site belongs to Budapesti Közlekedési Központ (BKK), which is Budapest’s public transportation authority. One of the functions of the website was to sell tickets, and that was the page where the bug was found.

    The teen had discovered that he could alter ticket prices just by changing them in the source code using the browser’s developer tools. He then ordered a $35 ticket for $0.20. The purchase went through because BKK's system had no validation procedures in place on the client or the server side. So the flaw did not even require any real hacking.

    After he had discovered the flaw, he contacted BKK to let them know about it. However, instead of thanking him and fixing the poor coding, they called the police and filed a complaint that he had “hacked” their systems. The police went to the man’s residence and arrested him in the middle of the night, even though he never used or even received the ticket and didn’t live near Budapest.

    As if they had accomplished something truly noble, BKK held a press conference bragging about how they had thwarted a “cyber attack” and caught the hacker. When word got out that the hacker was a white hat and had tried to warn the company about the flaw, the storm on Twitter was furious. People scolded, cursed, and sarcastically congratulated @bkkbudapest. There is also talk of protests being organized.

    Additionally, the company now has a one-star rating on its Facebook page thanks to thousands of people flocking to it to give them one-star reviews. Currently, the page has 46,000 one-star ratings. Judging by the total number of reviews (only 222 five-star ratings), this is a deficit that BKK will never recover from without creating a new page.

    “Learn to validate server side, you noobs,” said one review. “What were you guys thinking?”

    During its presser, BKK claimed that it had “secured” its systems. Of course, angry white hats immediately scrutinized the site and started pointing out other flaws. One Twitter user even called the website’s security “a goddamn train wreck.” The BKK site is currently down.

    Hungarian IT company, T-Systems has a million dollar contract with BKK and is responsible for the website. The company has not received as much criticism as the transportation authority, but it has received some backlash on social media. Ironically, according to the company’s own website, it has sponsored ethical hacking contests in the past. Since the news broke of this wrongful arrest of an ethical hacker, the company has taken the page down, but thanks to the Internet Archive, nothing is ever really deleted.

    The incident causes one to wonder if there shouldn’t be protections in place for ethical hacking. Should there be laws to protect someone from prosecution if all they were doing was trying to point out a bug in a piece of software or a website? Even though common sense seems to dictate that we should not need them, we do have Good Samaritan laws to protect us from lawsuits and prosecution when trying to save someone’s life. Why shouldn’t we enact similar legislation to protect Cyber-Samaritans?

    Permalink to story.

  2. stewi0001

    stewi0001 TS Evangelist Posts: 2,109   +1,531

    Probably the same person who opens every email attachment and helps out Nigerian princes.
    Reehahs likes this.
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 4,991   +3,404

    No good deed goes unpunished ......
    merikafyeah and liammac002 like this.
  4. Kenrick

    Kenrick TS Evangelist Posts: 630   +403

    Hope the kid is alright. Well lets see what happens in the next few days. I hope the employees and official that handled this case of misinformation will be thrown out. Yeah declare it as a cyberattack and blame it on the kid.
  5. Cal Jeffrey

    Cal Jeffrey TS Evangelist Topic Starter Posts: 1,580   +373

    I don't know, but I would say that pissing off the ethical hacking community is probably not a good business move.
  6. Puiu

    Puiu TS Evangelist Posts: 3,262   +1,712

    it's the best way to actually get hacked and even the most stupid IT specialist (security credentials not required) will tell you that :D
    and what happened afterwards proves that.
  7. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,745   +1,144

    I think it would be safe to assume that a) this is definitely not over, that they will a) have a huge issue securing a new IT company to actually make a new site, b) it will be extremely expensive, c) they will have to create some sort of nsa-type-secure site now, else they will never be able to rest.
    Cal Jeffrey and Tanstar like this.
  8. Tanstar

    Tanstar TS Evangelist Posts: 658   +202

    Are you sure you replied to the correct story?
    Cal Jeffrey likes this.
  9. stewi0001

    stewi0001 TS Evangelist Posts: 2,109   +1,531

    Yup, it's the correct one. I suppose I could have worded it better.

    I am referring to whomever cried wolf after the kid tried to help them with their website. Meaning that they are so "bright" that they probably fall for all the scams that happen on the internet.
  10. Tanstar

    Tanstar TS Evangelist Posts: 658   +202

    Gotcha, I read it like you were referring to the guy that reported the problem.
  11. captaincranky

    captaincranky TechSpot Addict Posts: 14,576   +3,752

    Well Stew, you have take the time to establish a "frame of reference".. You can't simply let readers hanging on sentences floating in midair. Are those, "dangling participles"? Probably not, but I had that phrase pounded into my head during my school daze, and felt the time was right to, "pay it forward", as it were. :rolleyes:

    Now see, I was closer than many. My guess was you were trashing the CEO of the transit company.

    In any case, always establish a frame of reference with your posts. Take my posts as an example. I'm usually so far off topic it's frightening. However, Everyone seems to be able to determine what I'm talking about, and it infuriates them! (y) Mission accomplished.. :cool:
    Cal Jeffrey and stewi0001 like this.
  12. stewi0001

    stewi0001 TS Evangelist Posts: 2,109   +1,531

    You know how they say don't drink and drive? I guess for me it's don't be zoned in writing code and go on Techspot and write comments ;)
    Cal Jeffrey likes this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...