SoylentNews

Teenage Security Researcher Reports Flaw in Budapest Transport Authority Site, Is Arrested

posted by martyb on Thursday August 17 2017, @12:48PM   
from the no-good-deed-goes-unpunished dept.

An Anonymous Coward writes:

An 18-year-old Hungarian man was taken into custody after reporting one of the numerous bugs in the Budapest Transport Authority's site. He found the bug by using the "view source" feature of his browser. He then bought a ticket at much less than its usual price, and reported the problem to the transit authority without using the ticket.

Bleeping Computer has a translation of a message from the arrestee:

I am an 18-year-old, now middle school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.
I discovered last Friday [2017-07-22] that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).
The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people - no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.
I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.
I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report

---

Original Submission #1  Original Submission #2 

• Re:Old news (Score: 5, Informative) by c0lo on Thursday August 17 2017, @01:27PM

  by c0lo (156) on Thursday August 17 2017, @01:27PM (#555281) Journal

  El Reg has a more complete story [theregister.co.uk]

  As the outcry against the company's actions grew, Dabóczi [BKK CEO] was forced to defend himself Monday morning on the radio. He doubled-down, claiming that the boy has sent his emails to accounts that he knew the company would not read – one of which was bkk@bkk.hu – and then posted his discovery of the hole online.

  When that claim was met with skepticism, Dabóczi attempted to shift focus onto the company that operates the website's backend, T‑Systems, saying he had asked its CEO to write a report explaining the error and noted that it was T‑Systems, and not BKK, that had filed the complaint.

  Here's a shovel

  For his part, the T‑Systems' CEO Zoltán Kaszás has also been forced to apologize, especially after it was revealed the company is paid $1m a year to maintain the system and its security.
  ...
  With the BKK website down, its Facebook page swamped with over 46,000 one-star reviews, protestors outside its headquarters and the media interviewing the hacker and painting him as a put-upon hero – it is hard to imagine how BKK could have done a worse, and less grateful, job.

  --
  https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

  Parent

  Starting Score:	1		point
  Moderation		+3
  Informative=3, Total=3
  Extra 'Informative' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		5