Many companies reward ethical hackers who report bugs and security flaws to them, but not in Hungary. An 18-year-old Hungarian man was arrested after finding an exploit in a poorly coded website and reporting it to the owner. The site belongs to Budapesti Közlekedési Központ (BKK), which is Budapest’s public transportation authority. One of the functions of the website was to sell tickets, and that was the page where the bug was found.
The teen had discovered that he could alter ticket prices just by changing them in the source code using the browser’s developer tools. He then ordered a $35 ticket for $0.20. The purchase went through because BKK's system had no validation procedures in place on the client or the server side. So the flaw did not even require any real hacking.
After he had discovered the flaw, he contacted BKK to let them know about it. However, instead of thanking him and fixing the poor coding, they called the police and filed a complaint that he had “hacked” their systems. The police went to the man’s residence and arrested him in the middle of the night, even though he never used or even received the ticket and didn’t live near Budapest.
As if they had accomplished something truly noble, BKK held a press conference bragging about how they had thwarted a “cyber attack” and caught the hacker. When word got out that the hacker was a white hat and had tried to warn the company about the flaw, the storm on Twitter was furious. People scolded, cursed, and sarcastically congratulated @bkkbudapest. There is also talk of protests being organized.
Guy who reported the price bug was charged and ws taken by police for interrogation. A protest will be held tonight.https://t.co/9SPz0bA6l9— Gabor Heja (@gheja_) July 24, 2017
Additionally, the company now has a one-star rating on its Facebook page thanks to thousands of people flocking to it to give them one-star reviews. Currently, the page has 46,000 one-star ratings. Judging by the total number of reviews (only 222 five-star ratings), this is a deficit that BKK will never recover from without creating a new page.
“Learn to validate server side, you noobs,” said one review. “What were you guys thinking?”
During its presser, BKK claimed that it had “secured” its systems. Of course, angry white hats immediately scrutinized the site and started pointing out other flaws. One Twitter user even called the website’s security “a goddamn train wreck.” The BKK site is currently down.
T-Systems Hungary shame on you! Sending the SWAT instead of bug bounty to a 18 years old guy who found a bug on your app??? WTF???— Csaba SÁRI (@Clausewitz45) July 21, 2017
Hungarian IT company, T-Systems has a million dollar contract with BKK and is responsible for the website. The company has not received as much criticism as the transportation authority, but it has received some backlash on social media. Ironically, according to the company’s own website, it has sponsored ethical hacking contests in the past. Since the news broke of this wrongful arrest of an ethical hacker, the company has taken the page down, but thanks to the Internet Archive, nothing is ever really deleted.
The incident causes one to wonder if there shouldn’t be protections in place for ethical hacking. Should there be laws to protect someone from prosecution if all they were doing was trying to point out a bug in a piece of software or a website? Even though common sense seems to dictate that we should not need them, we do have Good Samaritan laws to protect us from lawsuits and prosecution when trying to save someone’s life. Why shouldn’t we enact similar legislation to protect Cyber-Samaritans?