Teenager Reports Laughable Flaw In Budapest Transit Authority's Ticketing System And Is Promptly Arrested

from the that's-just-mean dept

For some reason, this keeps happening and I will never understand why. For years, we have covered incidents where security researchers benignly report security flaws in the technology used by companies and governments, doing what can be characterized as a service to both the public and those entities providing the flawed tools, only to find themselves threatened, bullied, detained, or otherwise dicked with as a result. It’s an incredibly frustrating trend to witness, with law enforcement groups and companies that should want to know about these flaws instead shooting the messenger in what tends to look like a fit of embarrassment.

And so the trend continues, with a teenager in Hungary being arrested after pointing out a flaw in the ticketing website for the group that acts as the Budapest public transportation authority, the BKK.

The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price. As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).

The teenager — who didn’t want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems. Police arrested the teenager in the middle of the night shortly after, even if the young man didn’t live in Budapest, nor did he ever use the fraudulently obtained ticket.

Teenager discovers flaw, reports it directly to the group affected by that flaw, and subsequently gets arrested? And not only that, actually, as the BKK then held a press conference essentially to brag about the arrest before stomping its metaphorical feet and declaring that its systems were now “secure.” Shortly after the press conference, an outraged internet did its thing and all of the sudden all kinds of security flaws in BKK sites began to emerge from Twitter users. On top of that, the IT company BKK contracted to put all of this “security” in place had itself sponsored “ethical hacking” contests in the past. If there is a more ethical version of hacking than finding exploits in public systems and reporting them immediately, I’m having trouble thinking of what that could possibly be.

Meanwhile, the Hungarian public got immediately pissed.

In the meantime, tens of thousands of Hungarians have shown their solidarity and support for the teenager by going on Facebook and leaving one-star reviews on BKK’s page. While initially, reviews came from Hungarians, international users started leaving their own thoughts on BKK’s page after the incident become a trending topic on Reddit.

“You should partner with better companies managing the security and reliability of your online purchase systems! Shame on you BKK!,” said one user.

I would say this was something of a Streisand Effect except that much of it was kicked off by BKK’s boasting press conference, so unless it is attempting to Streisand itself, this is more along the lines of an agency simply being as dickish as it possibly could after receiving what should have been deemed a gift from a security researcher and now getting slapped around publicly for it. All, mind you, while new security exploits are exposed by an angry internet.

Great job all around, guys.

Filed Under: , , , , , , ,
Companies: bkk

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Teenager Reports Laughable Flaw In Budapest Transit Authority's Ticketing System And Is Promptly Arrested”

Subscribe: RSS Leave a comment
Anonymous Coward says:

"More ethical"

If there is a more ethical version of hacking than finding exploits in public systems and reporting them immediately, I’m having trouble thinking of what that could possibly be.

The "more ethical" version would be finding then without exploiting them. But realistically the transit agency would have to release its source code for that to work, and short of a FOIA-type requirement they probably won’t.

A Dan (profile) says:

Re: "More ethical"

That’s not really an option, because then you don’t know if there’s also server-side validation of the price (which there should be) which would render the bug meaningless. If the price the website thinks it costs is completely ignored, there’s no bug to report. The only way to figure out if a bug exists is to try it.

You could argue that the person should have tested it at a slightly increased price, but that would mean he’d have to be planning to use the ticket. Spending $.20 on a ticket which won’t be used is similar to buying a ticket which will be used at $.20 more than the ticket price. He spent money to test the flaw, he didn’t steal money to test the flaw.

That Anonymous Coward (profile) says:

But this wasn’t a problem until this child told us!!

I am often at a loss how the hell those in power explain this to anyone else. Besides my power causes a form of brain damage, I can’t think of anything those in charge could say to justify crucifying the person who told them about the flaw & didn’t share it everywhere.

They paid a company to provide them security but I’m guessing its someone cousin or there were nice kickbacks involved.

Imagine my total shock that the internet decided to turn its unblinking eye to the site and nuke it from orbit.

Someone did the RIGHT thing.
Discovered flaw, didn’t use for his own benefit, informed you, lets arrest him, lets give a press conference about how awesome we are.

Not all hackers are evil, but everytime they try to do the right thing… the powers that be kick them in the balls for daring to deliver bad news. Perhaps the reason your security sucks is because you punish good guys, who eventually decide to use their skills in other ways.

Anonymous Coward says:

Re: Re:

They, like the US copyright industry via the US government, are trying to make any form of reverse engineering or security research illegal rather than do anything to make systems more secure to begin with. Security is “hard” (read: requires a non-trivial IQ) and government-provided enforcement is free. Industries don’t want to take on that expense and responsibility (and potential lawsuits that follow) themselves so they push, instead, to have it outlawed and absolve themselves of any responsibility.

This is the world we live in now.

Bergman (profile) says:

Re: Re:

The best way I’ve ever heard it described goes like this.

There are two competing mindsets in most corporations. The Bureaucrat and The Engineer.

An Engineer is there to improve the product or service, and do the best job they can. Someone who discovers a flaw is a hero to an Engineer, because they created a new opportunity to improve the product. Everything has bugs, and finding them lets you get rid of them.

A Bureaucrat is there to ensure smooth operations. Problems don’t exist until they are Officially Noticed, and when they are noticed, they were created by whoever caused them to be Officially Noticed — they didn’t exist prior to that moment. Bugs are created by people reporting them, and fixed by destroying the report.

A company needs both to function, but different positions require different mindsets. Having the wrong mindset in any given job creates massive problems for the company.

Anonymous Coward says:

Re: Re: Re:2 Re:

pretty much.
Idealists dont get to do the work they do without some pragmatists running interference of some sort for them.

why yes…. that IS a t.v. show reference…. +10 pts if you caught it, -100 points for being the kind of colossal nerd that would catch that.

and -1000 for me being the nerd that made it…

Anonymous Coward says:

Re: Re: Re:2 Re:

Yes, bureaucracy is required, but bureaucrats are not necessary. Bureaucrats often hinder progress than assist it. Engineers can also take care of Bureaucratic roles by themselves when necessary. They may not always do a good job of it, but in my experience, they still do a lot more good than dedicated bureaucrats.

Wendy Cockcroft (user link) says:

Re: Re: Re:3 Re:

So recording, maintaining, and processing records of work, etc., isn’t really all that necessary? You know all the problems you experience when service providers let you down? It’s because they don’t really bother with accurate, efficient administration. Going cheap on the admin staff results in a revolving door environment in which the admin staff don’t know much and don’t really care.

A properly functioning administration department is the cornerstone of any business. Even a one-man-band, which I used to be, requires competent administration.

JoeCool (profile) says:

Re: Re: Re:4 Re:

As he said, “Engineers can also take care of Bureaucratic roles by themselves when necessary.” And we can. Engineers are capable of far more than just engineering, while bureaucrats are capable of almost nothing else. In fact, most of the recording, maintaining, and processing is done BY ENGINEERS, not bureaucrats. At the most, the bureaucrat do little beyond telling the engineers to take care of it.

Anonymous Coward says:

Re: Re: arrested for taking advantage of it

But how else do you know if it is a flaw?

He could’ve increased the ticket price. Probably still illegal but harder to paint as malicious. Or he could have publically noted that the ticket price is sent from the client to the server, and some "interested party" should see what happens if it’s not the expected value (an authorized party of course ;-).

This is a general problem, though: there’s no (legal) way for people to check for security flaws in most of the services they use. It’s not entirely new (how can I know my bank’s safe is secure if I don’t try to crack it? I wouldn’t take anything…).

Anonymous Coward says:

Re: Re: Re: arrested for taking advantage of it

He could’ve increased the ticket price.

And what point would it serve? Logically – who is going to exploit the service to increase the price of a ticket? Hell, if this was the case – that you can only increase the price – I would have left it in! Donations are not forbidden.

Anonymous Coward says:

Re: Re: Re: arrested for taking advantage of it

Your bank’s safe isn’t intended to be accessible to the public. The flaw here is more akin to a soda machine that says $1.00, but you figure out that it gives you a soda when you put in $.01. Is it illegal to put in $.01 and push the button? Trying to point out a flaw by getting a soda for $1.01 is laughable.

Ninja (profile) says:

Just throw the flaw in the open internet using tools to be as anonymous as possible and let hell break loose. If the exception is to treat these guys as good-intended people that deserve praise then just screw them for good measure.

That’s what these idiots are building. Either that or a future where nobody discloses flaws letting them be silently screwed out of their money. Win!

Anonymous Coward says:

Re: Re:

Guess one needs to use old newspaper and glue these days to report a flaw anonymously

Or, you know, any number of anonymous forums. Government employees who make such basic mistakes aren’t going to break Tor. It doesn’t really work if you’ve tested with your own credit card number, or used the resulting fare on camera, of course.

That One Guy (profile) says:

Re: Vocal assistance vs silent attack

That’s the real kicker about stories like this, with company after company shooting the messenger in an attempt at damage control eventually people will stop trying to be nice.

The good people will simply ignore exploits like this, as it’s too risky to try to inform the company involved, leaving said exploits available for the not-so-good to make use of either personally or selling it to someone else.

In an attempt to maintain ‘security’ by obscurity they are instead driving off the very people trying to help them, and leaving themselves wide open to others with less than sterling intentions.

Anonymous Coward says:

Instantaneous anonymous public bug reporting.

Yes, the companies shoot the messenger. They are the Ravenous Bugblatter Beast of Traal. However, it does not mean we should accept it and stop reporting bugs, letting us to be screwed over by the bad guys. Instead we should make the messenger anonymous, instantaneous, and the record public. Yes, there will be an outcry how unethical that is – publishing a database of 0-days. As if shooting the messenger wasn’t.
We should also assume all the companies would shoot the messenger until proved otherwise.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...