Teenager Reports Laughable Flaw In Budapest Transit Authority's Ticketing System And Is Promptly Arrested

Failures

from the that's-just-mean dept

For some reason, this keeps happening and I will never understand why. For years, we have covered incidents where security researchers benignly report security flaws in the technology used by companies and governments, doing what can be characterized as a service to both the public and those entities providing the flawed tools, only to find themselves threatened, bullied, detained, or otherwise dicked with as a result. It’s an incredibly frustrating trend to witness, with law enforcement groups and companies that should want to know about these flaws instead shooting the messenger in what tends to look like a fit of embarrassment.

And so the trend continues, with a teenager in Hungary being arrested after pointing out a flaw in the ticketing website for the group that acts as the Budapest public transportation authority, the BKK.

The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price. As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).

The teenager — who didn’t want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems. Police arrested the teenager in the middle of the night shortly after, even if the young man didn’t live in Budapest, nor did he ever use the fraudulently obtained ticket.

Teenager discovers flaw, reports it directly to the group affected by that flaw, and subsequently gets arrested? And not only that, actually, as the BKK then held a press conference essentially to brag about the arrest before stomping its metaphorical feet and declaring that its systems were now “secure.” Shortly after the press conference, an outraged internet did its thing and all of the sudden all kinds of security flaws in BKK sites began to emerge from Twitter users. On top of that, the IT company BKK contracted to put all of this “security” in place had itself sponsored “ethical hacking” contests in the past. If there is a more ethical version of hacking than finding exploits in public systems and reporting them immediately, I’m having trouble thinking of what that could possibly be.

Meanwhile, the Hungarian public got immediately pissed.

In the meantime, tens of thousands of Hungarians have shown their solidarity and support for the teenager by going on Facebook and leaving one-star reviews on BKK’s page. While initially, reviews came from Hungarians, international users started leaving their own thoughts on BKK’s page after the incident become a trending topic on Reddit.

“You should partner with better companies managing the security and reliability of your online purchase systems! Shame on you BKK!,” said one user.

I would say this was something of a Streisand Effect except that much of it was kicked off by BKK’s boasting press conference, so unless it is attempting to Streisand itself, this is more along the lines of an agency simply being as dickish as it possibly could after receiving what should have been deemed a gift from a security researcher and now getting slapped around publicly for it. All, mind you, while new security exploits are exposed by an angry internet.

Great job all around, guys.

Filed Under: arrest, blame the messenger, budapest, hungary, reporting, security, security flaws, vulnerabilities
Companies: bkk