Teenager Reports Laughable Flaw In Budapest Transit Authority's Ticketing System And Is Promptly Arrested

from the that's-just-mean dept

For some reason, this keeps happening and I will never understand why. For years, we have covered incidents where security researchers benignly report security flaws in the technology used by companies and governments, doing what can be characterized as a service to both the public and those entities providing the flawed tools, only to find themselves threatened, bullied, detained, or otherwise dicked with as a result. It's an incredibly frustrating trend to witness, with law enforcement groups and companies that should want to know about these flaws instead shooting the messenger in what tends to look like a fit of embarrassment.

And so the trend continues, with a teenager in Hungary being arrested after pointing out a flaw in the ticketing website for the group that acts as the Budapest public transportation authority, the BKK.

The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price. As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).

The teenager — who didn't want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems. Police arrested the teenager in the middle of the night shortly after, even if the young man didn't live in Budapest, nor did he ever use the fraudulently obtained ticket.

Teenager discovers flaw, reports it directly to the group affected by that flaw, and subsequently gets arrested? And not only that, actually, as the BKK then held a press conference essentially to brag about the arrest before stomping its metaphorical feet and declaring that its systems were now "secure." Shortly after the press conference, an outraged internet did its thing and all of the sudden all kinds of security flaws in BKK sites began to emerge from Twitter users. On top of that, the IT company BKK contracted to put all of this "security" in place had itself sponsored "ethical hacking" contests in the past. If there is a more ethical version of hacking than finding exploits in public systems and reporting them immediately, I'm having trouble thinking of what that could possibly be.

Meanwhile, the Hungarian public got immediately pissed.

In the meantime, tens of thousands of Hungarians have shown their solidarity and support for the teenager by going on Facebook and leaving one-star reviews on BKK's page. While initially, reviews came from Hungarians, international users started leaving their own thoughts on BKK's page after the incident become a trending topic on Reddit.

"You should partner with better companies managing the security and reliability of your online purchase systems! Shame on you BKK!," said one user.

I would say this was something of a Streisand Effect except that much of it was kicked off by BKK's boasting press conference, so unless it is attempting to Streisand itself, this is more along the lines of an agency simply being as dickish as it possibly could after receiving what should have been deemed a gift from a security researcher and now getting slapped around publicly for it. All, mind you, while new security exploits are exposed by an angry internet.

Great job all around, guys.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Jul 2017 @ 9:48am

    "More ethical"

    If there is a more ethical version of hacking than finding exploits in public systems and reporting them immediately, I'm having trouble thinking of what that could possibly be.

    The "more ethical" version would be finding then without exploiting them. But realistically the transit agency would have to release its source code for that to work, and short of a FOIA-type requirement they probably won't.

    reply to this | link to this | view in chronology ]

    • identicon
      A Dan, 30 Jul 2017 @ 1:26pm

      Re: "More ethical"

      That's not really an option, because then you don't know if there's also server-side validation of the price (which there should be) which would render the bug meaningless. If the price the website thinks it costs is completely ignored, there's no bug to report. The only way to figure out if a bug exists is to try it.

      You could argue that the person should have tested it at a slightly increased price, but that would mean he'd have to be planning to use the ticket. Spending $.20 on a ticket which won't be used is similar to buying a ticket which will be used at $.20 more than the ticket price. He spent money to test the flaw, he didn't steal money to test the flaw.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2017 @ 9:55am

    One has to wonder just how many people have reduced the price of their tickets.

    reply to this | link to this | view in chronology ]

  • icon
    NeghVar (profile), 26 Jul 2017 @ 10:07am

    Wait for a malicious one

    It's better just to wait until someone with malicious intent finds the flaw and exploits it. Two subway trains collide at 60 mph each and kills many people. Investigation finds that hacker exploited flaw in security and gained access to track switching

    reply to this | link to this | view in chronology ]

    • icon
      csaba215 (profile), 26 Jul 2017 @ 2:01pm

      Re: Wait for a malicious one

      No need to find flaws. A collusion already happened due to software error. Apparently the automatic breaking software wasn't prepared for slipping. The issue was already known but nobody cared about it until an accident happened.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 26 Jul 2017 @ 10:10am

    But this wasn't a problem until this child told us!!

    I am often at a loss how the hell those in power explain this to anyone else. Besides my power causes a form of brain damage, I can't think of anything those in charge could say to justify crucifying the person who told them about the flaw & didn't share it everywhere.

    They paid a company to provide them security but I'm guessing its someone cousin or there were nice kickbacks involved.

    Imagine my total shock that the internet decided to turn its unblinking eye to the site and nuke it from orbit.

    Someone did the RIGHT thing.
    Discovered flaw, didn't use for his own benefit, informed you, lets arrest him, lets give a press conference about how awesome we are.

    Not all hackers are evil, but everytime they try to do the right thing... the powers that be kick them in the balls for daring to deliver bad news. Perhaps the reason your security sucks is because you punish good guys, who eventually decide to use their skills in other ways.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2017 @ 10:36am

      Re:

      They, like the US copyright industry via the US government, are trying to make any form of reverse engineering or security research illegal rather than do anything to make systems more secure to begin with. Security is "hard" (read: requires a non-trivial IQ) and government-provided enforcement is free. Industries don't want to take on that expense and responsibility (and potential lawsuits that follow) themselves so they push, instead, to have it outlawed and absolve themselves of any responsibility.

      This is the world we live in now.

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 26 Jul 2017 @ 12:10pm

      Re:

      The best way I've ever heard it described goes like this.

      There are two competing mindsets in most corporations. The Bureaucrat and The Engineer.

      An Engineer is there to improve the product or service, and do the best job they can. Someone who discovers a flaw is a hero to an Engineer, because they created a new opportunity to improve the product. Everything has bugs, and finding them lets you get rid of them.

      A Bureaucrat is there to ensure smooth operations. Problems don't exist until they are Officially Noticed, and when they are noticed, they were created by whoever caused them to be Officially Noticed -- they didn't exist prior to that moment. Bugs are created by people reporting them, and fixed by destroying the report.

      A company needs both to function, but different positions require different mindsets. Having the wrong mindset in any given job creates massive problems for the company.

      reply to this | link to this | view in chronology ]

      • icon
        JoeCool (profile), 26 Jul 2017 @ 3:13pm

        Re: Re:

        A company needs both to function

        That is debatable. You can get along without bureaucrats, but you can't get along without engineers. I'd say it's more like - with a sufficient number of engineers, a company can TOLERATE a small number of bureaucrats.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Jul 2017 @ 3:02am

          Re: Re: Re:

          You can get along without bureaucrats, but you can't get along without engineers.

          BKK seems to function well with no engineers at all.

          reply to this | link to this | view in chronology ]

        • identicon
          Wendy Cockcroft, 27 Jul 2017 @ 5:27am

          Re: Re: Re:

          Eh, I wouldn't say that, JoeCool, and not just because I work as an administrator. Have a read of this and tell me why I'm wrong: https://medium.com/@wendycockcroft/in-defence-of-bureaucracy-f54ddac203f1

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 Jul 2017 @ 2:23pm

            Re: Re: Re: Re:

            pretty much.
            Idealists dont get to do the work they do without some pragmatists running interference of some sort for them.

            why yes.... that IS a t.v. show reference.... +10 pts if you caught it, -100 points for being the kind of colossal nerd that would catch that.

            and -1000 for me being the nerd that made it...

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous, 28 Jul 2017 @ 1:51am

            Re: Re: Re: Re:

            Yes, bureaucracy is required, but bureaucrats are not necessary. Bureaucrats often hinder progress than assist it. Engineers can also take care of Bureaucratic roles by themselves when necessary. They may not always do a good job of it, but in my experience, they still do a lot more good than dedicated bureaucrats.

            reply to this | link to this | view in chronology ]

            • identicon
              Wendy Cockcroft, 28 Jul 2017 @ 2:26am

              Re: Re: Re: Re: Re:

              So recording, maintaining, and processing records of work, etc., isn't really all that necessary? You know all the problems you experience when service providers let you down? It's because they don't really bother with accurate, efficient administration. Going cheap on the admin staff results in a revolving door environment in which the admin staff don't know much and don't really care.

              A properly functioning administration department is the cornerstone of any business. Even a one-man-band, which I used to be, requires competent administration.

              reply to this | link to this | view in chronology ]

              • icon
                JoeCool (profile), 29 Jul 2017 @ 11:47am

                Re: Re: Re: Re: Re: Re:

                As he said, "Engineers can also take care of Bureaucratic roles by themselves when necessary." And we can. Engineers are capable of far more than just engineering, while bureaucrats are capable of almost nothing else. In fact, most of the recording, maintaining, and processing is done BY ENGINEERS, not bureaucrats. At the most, the bureaucrat do little beyond telling the engineers to take care of it.

                reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2017 @ 1:38pm

      Re:

      Well at least they are being told about more security exploits in code now.

      reply to this | link to this | view in chronology ]

  • identicon
    Matthew H Stevenson, 26 Jul 2017 @ 10:21am

    arrested for taking advantage of it

    He was not arrested for pointing out the flaw, he was arrested for taking advantage of it.

    He bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2017 @ 10:38am

      Re: arrested for taking advantage of it

      ...as a proof of the flaw. He then promptly reported both flaw and the ticket.

      How can you logically separate the two as cause for the arrest?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2017 @ 10:40am

      Re: arrested for taking advantage of it

      But how else do you know if it is a flaw? The story said that he did not use the ticket.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Jul 2017 @ 11:14am

        Re: Re: arrested for taking advantage of it

        But how else do you know if it is a flaw?

        He could've increased the ticket price. Probably still illegal but harder to paint as malicious. Or he could have publically noted that the ticket price is sent from the client to the server, and some "interested party" should see what happens if it's not the expected value (an authorized party of course ;-).

        This is a general problem, though: there's no (legal) way for people to check for security flaws in most of the services they use. It's not entirely new (how can I know my bank's safe is secure if I don't try to crack it? I wouldn't take anything...).

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Jul 2017 @ 1:42pm

          Re: Re: Re: arrested for taking advantage of it

          Since he did not use the ticket nor had any intention to use the ticket his action clearly was not malicious in nature.

          In reality not only did he report a security flaw to them, he paid them 20 cents too!

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Jul 2017 @ 4:42am

          Re: Re: Re: arrested for taking advantage of it

          He could've increased the ticket price.

          And what point would it serve? Logically - who is going to exploit the service to increase the price of a ticket? Hell, if this was the case - that you can only increase the price - I would have left it in! Donations are not forbidden.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Jul 2017 @ 7:26am

          Re: Re: Re: arrested for taking advantage of it

          Your bank's safe isn't intended to be accessible to the public. The flaw here is more akin to a soda machine that says $1.00, but you figure out that it gives you a soda when you put in $.01. Is it illegal to put in $.01 and push the button? Trying to point out a flaw by getting a soda for $1.01 is laughable.

          reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 26 Jul 2017 @ 12:12pm

      Re: arrested for taking advantage of it

      He bought a ticket that he never used, and in fact could not use. He then reported the problem rather than publishing it.

      He wasn't arrested for committing a crime, he was arrested for making a company look so bad that they lied about him to police.

      reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 26 Jul 2017 @ 10:31am

    Kill the Customer

    Customers are such an annoyance. They should just shut up, do what they are told, and hand over their money. Ingrates....

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 26 Jul 2017 @ 10:42am

    Just throw the flaw in the open internet using tools to be as anonymous as possible and let hell break loose. If the exception is to treat these guys as good-intended people that deserve praise then just screw them for good measure.

    That's what these idiots are building. Either that or a future where nobody discloses flaws letting them be silently screwed out of their money. Win!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2017 @ 11:15am

      Re:

      a future where nobody discloses flaws letting them be silently screwed out of their money

      That sums up the last few decades of bank-card security pretty well...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2017 @ 10:58am

    Guess one needs to use old newspaper and glue these days to report a flaw anonymously, just be careful about those finger prints.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2017 @ 11:22am

      Re:

      Guess one needs to use old newspaper and glue these days to report a flaw anonymously

      Or, you know, any number of anonymous forums. Government employees who make such basic mistakes aren't going to break Tor. It doesn't really work if you've tested with your own credit card number, or used the resulting fare on camera, of course.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2017 @ 11:44am

    So, the BKK site said "We'll sell you this ticket for 9459 forints." The teen said "How about you sell it to me for 50 forints?" and the BKK server responded "OK! Here you go!"

    This doesn't sound like hacking. It sounds like haggling. Not his fault that the developer made the site a bad negotiator.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2017 @ 5:06pm

    Better, Alternative Ending

    "...tens of thousands of Hungarians have shown their solidarity and support for the teenager by going" online and using their browsers' development mode to buy REALLY cheap tickets.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 26 Jul 2017 @ 6:48pm

    The answer in Budapest

    The answer is to go sell the exploit. If they're going to be assholes about it, go make some money instead.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 26 Jul 2017 @ 8:14pm

      Vocal assistance vs silent attack

      That's the real kicker about stories like this, with company after company shooting the messenger in an attempt at damage control eventually people will stop trying to be nice.

      The good people will simply ignore exploits like this, as it's too risky to try to inform the company involved, leaving said exploits available for the not-so-good to make use of either personally or selling it to someone else.

      In an attempt to maintain 'security' by obscurity they are instead driving off the very people trying to help them, and leaving themselves wide open to others with less than sterling intentions.

      reply to this | link to this | view in chronology ]

  • icon
    ender (profile), 27 Jul 2017 @ 1:11am

    Didn't somebody dump BKK's database in the aftermath?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2017 @ 3:16am

    Instantaneous anonymous public bug reporting.

    Yes, the companies shoot the messenger. They are the Ravenous Bugblatter Beast of Traal. However, it does not mean we should accept it and stop reporting bugs, letting us to be screwed over by the bad guys. Instead we should make the messenger anonymous, instantaneous, and the record public. Yes, there will be an outcry how unethical that is - publishing a database of 0-days. As if shooting the messenger wasn't.
    We should also assume all the companies would shoot the messenger until proved otherwise.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.