Teenager Reports Laughable Flaw In Budapest Transit Authority's Ticketing System And Is Promptly Arrested
from the that's-just-mean dept
For some reason, this keeps happening and I will never understand why. For years, we have covered incidents where security researchers benignly report security flaws in the technology used by companies and governments, doing what can be characterized as a service to both the public and those entities providing the flawed tools, only to find themselves threatened, bullied, detained, or otherwise dicked with as a result. It's an incredibly frustrating trend to witness, with law enforcement groups and companies that should want to know about these flaws instead shooting the messenger in what tends to look like a fit of embarrassment.
And so the trend continues, with a teenager in Hungary being arrested after pointing out a flaw in the ticketing website for the group that acts as the Budapest public transportation authority, the BKK.
The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price. As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
The teenager — who didn't want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems. Police arrested the teenager in the middle of the night shortly after, even if the young man didn't live in Budapest, nor did he ever use the fraudulently obtained ticket.
Teenager discovers flaw, reports it directly to the group affected by that flaw, and subsequently gets arrested? And not only that, actually, as the BKK then held a press conference essentially to brag about the arrest before stomping its metaphorical feet and declaring that its systems were now "secure." Shortly after the press conference, an outraged internet did its thing and all of the sudden all kinds of security flaws in BKK sites began to emerge from Twitter users. On top of that, the IT company BKK contracted to put all of this "security" in place had itself sponsored "ethical hacking" contests in the past. If there is a more ethical version of hacking than finding exploits in public systems and reporting them immediately, I'm having trouble thinking of what that could possibly be.
Meanwhile, the Hungarian public got immediately pissed.
In the meantime, tens of thousands of Hungarians have shown their solidarity and support for the teenager by going on Facebook and leaving one-star reviews on BKK's page. While initially, reviews came from Hungarians, international users started leaving their own thoughts on BKK's page after the incident become a trending topic on Reddit.
"You should partner with better companies managing the security and reliability of your online purchase systems! Shame on you BKK!," said one user.
I would say this was something of a Streisand Effect except that much of it was kicked off by BKK's boasting press conference, so unless it is attempting to Streisand itself, this is more along the lines of an agency simply being as dickish as it possibly could after receiving what should have been deemed a gift from a security researcher and now getting slapped around publicly for it. All, mind you, while new security exploits are exposed by an angry internet.
Great job all around, guys.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: arrest, blame the messenger, budapest, hungary, reporting, security, security flaws, vulnerabilities
Companies: bkk
Reader Comments
The First Word
“There are two competing mindsets in most corporations. The Bureaucrat and The Engineer.
An Engineer is there to improve the product or service, and do the best job they can. Someone who discovers a flaw is a hero to an Engineer, because they created a new opportunity to improve the product. Everything has bugs, and finding them lets you get rid of them.
A Bureaucrat is there to ensure smooth operations. Problems don't exist until they are Officially Noticed, and when they are noticed, they were created by whoever caused them to be Officially Noticed -- they didn't exist prior to that moment. Bugs are created by people reporting them, and fixed by destroying the report.
A company needs both to function, but different positions require different mindsets. Having the wrong mindset in any given job creates massive problems for the company.
Subscribe: RSS
View by: Time | Thread
"More ethical"
The "more ethical" version would be finding then without exploiting them. But realistically the transit agency would have to release its source code for that to work, and short of a FOIA-type requirement they probably won't.
[ link to this | view in chronology ]
Re: "More ethical"
You could argue that the person should have tested it at a slightly increased price, but that would mean he'd have to be planning to use the ticket. Spending $.20 on a ticket which won't be used is similar to buying a ticket which will be used at $.20 more than the ticket price. He spent money to test the flaw, he didn't steal money to test the flaw.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Wait for a malicious one
[ link to this | view in chronology ]
Re: Wait for a malicious one
[ link to this | view in chronology ]
I am often at a loss how the hell those in power explain this to anyone else. Besides my power causes a form of brain damage, I can't think of anything those in charge could say to justify crucifying the person who told them about the flaw & didn't share it everywhere.
They paid a company to provide them security but I'm guessing its someone cousin or there were nice kickbacks involved.
Imagine my total shock that the internet decided to turn its unblinking eye to the site and nuke it from orbit.
Someone did the RIGHT thing.
Discovered flaw, didn't use for his own benefit, informed you, lets arrest him, lets give a press conference about how awesome we are.
Not all hackers are evil, but everytime they try to do the right thing... the powers that be kick them in the balls for daring to deliver bad news. Perhaps the reason your security sucks is because you punish good guys, who eventually decide to use their skills in other ways.
[ link to this | view in chronology ]
Re:
This is the world we live in now.
[ link to this | view in chronology ]
Re:
There are two competing mindsets in most corporations. The Bureaucrat and The Engineer.
An Engineer is there to improve the product or service, and do the best job they can. Someone who discovers a flaw is a hero to an Engineer, because they created a new opportunity to improve the product. Everything has bugs, and finding them lets you get rid of them.
A Bureaucrat is there to ensure smooth operations. Problems don't exist until they are Officially Noticed, and when they are noticed, they were created by whoever caused them to be Officially Noticed -- they didn't exist prior to that moment. Bugs are created by people reporting them, and fixed by destroying the report.
A company needs both to function, but different positions require different mindsets. Having the wrong mindset in any given job creates massive problems for the company.
[ link to this | view in chronology ]
Re: Re:
That is debatable. You can get along without bureaucrats, but you can't get along without engineers. I'd say it's more like - with a sufficient number of engineers, a company can TOLERATE a small number of bureaucrats.
[ link to this | view in chronology ]
Re: Re: Re:
BKK seems to function well with no engineers at all.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Idealists dont get to do the work they do without some pragmatists running interference of some sort for them.
why yes.... that IS a t.v. show reference.... +10 pts if you caught it, -100 points for being the kind of colossal nerd that would catch that.
and -1000 for me being the nerd that made it...
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
A properly functioning administration department is the cornerstone of any business. Even a one-man-band, which I used to be, requires competent administration.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
arrested for taking advantage of it
He bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
[ link to this | view in chronology ]
Re: arrested for taking advantage of it
How can you logically separate the two as cause for the arrest?
[ link to this | view in chronology ]
Re: arrested for taking advantage of it
[ link to this | view in chronology ]
Re: Re: arrested for taking advantage of it
He could've increased the ticket price. Probably still illegal but harder to paint as malicious. Or he could have publically noted that the ticket price is sent from the client to the server, and some "interested party" should see what happens if it's not the expected value (an authorized party of course ;-).
This is a general problem, though: there's no (legal) way for people to check for security flaws in most of the services they use. It's not entirely new (how can I know my bank's safe is secure if I don't try to crack it? I wouldn't take anything...).
[ link to this | view in chronology ]
Re: Re: Re: arrested for taking advantage of it
In reality not only did he report a security flaw to them, he paid them 20 cents too!
[ link to this | view in chronology ]
Re: Re: Re: Re: arrested for taking advantage of it
[ link to this | view in chronology ]
Re: Re: Re: arrested for taking advantage of it
And what point would it serve? Logically - who is going to exploit the service to increase the price of a ticket? Hell, if this was the case - that you can only increase the price - I would have left it in! Donations are not forbidden.
[ link to this | view in chronology ]
Re: Re: Re: arrested for taking advantage of it
[ link to this | view in chronology ]
Re: arrested for taking advantage of it
He wasn't arrested for committing a crime, he was arrested for making a company look so bad that they lied about him to police.
[ link to this | view in chronology ]
Kill the Customer
[ link to this | view in chronology ]
That's what these idiots are building. Either that or a future where nobody discloses flaws letting them be silently screwed out of their money. Win!
[ link to this | view in chronology ]
Re:
That sums up the last few decades of bank-card security pretty well...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Or, you know, any number of anonymous forums. Government employees who make such basic mistakes aren't going to break Tor. It doesn't really work if you've tested with your own credit card number, or used the resulting fare on camera, of course.
[ link to this | view in chronology ]
This doesn't sound like hacking. It sounds like haggling. Not his fault that the developer made the site a bad negotiator.
[ link to this | view in chronology ]
Better, Alternative Ending
[ link to this | view in chronology ]
Re: Better, Alternative Ending
[ link to this | view in chronology ]
The answer in Budapest
[ link to this | view in chronology ]
Vocal assistance vs silent attack
That's the real kicker about stories like this, with company after company shooting the messenger in an attempt at damage control eventually people will stop trying to be nice.
The good people will simply ignore exploits like this, as it's too risky to try to inform the company involved, leaving said exploits available for the not-so-good to make use of either personally or selling it to someone else.
In an attempt to maintain 'security' by obscurity they are instead driving off the very people trying to help them, and leaving themselves wide open to others with less than sterling intentions.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Instantaneous anonymous public bug reporting.
We should also assume all the companies would shoot the messenger until proved otherwise.
[ link to this | view in chronology ]