Photo: Flauschmeister_C/Pixabay

Hungarian teenager arrested after reporting an exploit in BKK’s train payment system

Bradley Wint
By - Founder/Executive Editor
Jul 30, 2017 4:39pm AST
Photo: Flauschmeister_C/Pixabay

Recently, the Budapest Transport Authority (BKK) launched a new online payment system, which took three months to build with the help of T-Systems Hungary.

What the government did not realize was that they got a steaming pile of crap that could easily be exploited by someone’s Facebook quiz-playing grandma.

It turns out that the payment system was extremely poorly coded, allowing anyone with some basic understanding of computers, the ability to exploit the system.

The discovery was first made when a Hungarian teenager figured out that ticket prices could easily be altered by simply using the browser’s Element Inspector (viewable by pressing F12 on the keyboard) and changing the ticket price on the website. As the software had no server-side checks, it took whatever value was on the user’s end as the correct price for tickets.

As proof-of-concept, the 18-year-old boy successfully purchased a ticket at a much lower price after changing the ticket price from 9459 Hungarian forints (US $35) to 50 Hungarian forints (US $0.20). It was also noted that the boy did not live in Budapest, nor did he have intentions of using the ticket, but purchased it just to prove his point.

He reported the issue to BKK via email, but instead of the company trying to clean up their mess, they sent the police for the young white hat. He was arrested just one week later, and BKK went so far as to make a public announcement about a “hacker” being caught, and claiming that their system was secure. Unfortunately for them, this was only the start of a long nightmare.

Real Infosec hackers joined in and tore the site apart, bringing to light many security flaws left behind due to improper coding.

For instance, one security researcher pointed out that the administrator login password was “adminadmin”, and that the CAPTCHA combination was clear as day when they viewed the source code from the browser’s end.

The teenager spoke about the incident via a press conference saying that he merely wanted to highlight the security issue with a demonstration, and that he had no intention of taking advantage of the flaw for his personal gain. He also asked BKK to drop the charges against him.

Once the issue came to public light, there was mass uproar given that the transport company was spending $1 million per year on maintenance costs of its IT systems. They also took to BKK’s Facebook page, rating the service negatively, with over 47,000+ 1 out of 5 star ratings.

When pressed about the situation, BKK’s chairman put full blame on T-Systems Hungary. The IT firm then responded in a non-apologetic manner, saying the following.

I personally feel for the young man concerned, however, I would like to underline that under the given circumstances we had no other option, but to press charges against an unknown offender (as the young man did not contact us). Upon pressing charges, we provided all the information and data available about the involved parties to the authorities for clarification purposes, and shall do so in the future, too. In my capacity as head of T-Systems Hungary, and assuming that the ethical conduct of the young man is ascertained, I would like to offer him the possibility that we cooperate in the future, if he is open to such a cooperation.

The case has revealed that a widely accepted practice of ethical hacking does not exist in Hungary, and partly perhaps due to lack of such, a true consensus has also not evolved, yet. It is time to start the social and professional dialogue addressing “ethical hacking” in Hungary, too, and to establish the relevant legal and regulatory frameworks for the activity. Pursuing this objective, T-Systems shall introduce some relevant initiatives (“bug bounty”) in the near future.

Currently the matter is still pending, and the teenager has chosen to remain mum about the situation until the case is closed.

Have your say

Comments are closed.

Stay in check with our daily burst of news stories delivered to your inbox.

Read more

Up to 40,000 OnePlus customers have their credit card details exposed in data breach

Privacy/Security - If you’ve recently purchased something via the OnePlus website, you may need to regularly check your credit card statement as…

By - Jan 19, 2018 5:04pm AST

The 9 best vlogging cameras for 2018

Entertainment - Even with the YouTube apocalypse, vlogging is still a huge deal. Last year we talked about some of the top…

By - Jan 19, 2018 1:42am AST

YouTube and Facebook pull Tide Pod Challenge videos because people are stupid

Social Media - It’s a new year and people are already doing dumb things for their 15 minutes of internet fame. Both Facebook…

By - Jan 18, 2018 11:10pm AST

Apple will soon allow you to disable battery management software on older iPhones

Mobile - After a wave of mounting criticism, lawsuits, and PR statements, Tim Cook has announced that users will now have the…

By - Jan 18, 2018 3:21am AST

7 things the media gets wrong about air travel and aviation

Travel - When there is ‘trouble’ in the sky, there tends to be ‘trouble’ with the reporting as well. Many news agencies,…

By - Jan 18, 2018 1:47am AST

Apple issues iOS 11.2.2 to address Spectre vulnerability

Mobile - In the wake of the industry-wide Spectre and Meltdown chip flaws, Apple has issued a security update for iOS 11…

By - Jan 8, 2018 2:55pm AST

Social media “Fear Of Missing Out” detrimental to our mental well-being

Science/Space - Human beings generally see themselves in the best light possible compared to others. This psychological phenomenon is called illusory superiority….

By - Jan 2, 2018 11:50pm AST

Passengers on Hawaiian Airlines flight celebrate New Year’s Day twice due to delay

Travel - Passengers on board a Hawaiian Airlines flight from Auckland, New Zealand to Honolulu, Hawaii were able to celebrate New Year’s…

By - Jan 1, 2018 11:13pm AST

LG shows off world’s first 88-inch 8K OLED display for CES 2018

Technology - LG is stepping up the display game with the unveiling of a world first 88-inch, 8K OLED display. When compared…

By - Jan 1, 2018 10:33pm AST

How to fix Samsung Galaxy Note 8 charging issues

Technology - Some Samsung Galaxy Note 8 customers have run into a peculiar situation where their phones refuse to charge after being…

By - Jan 1, 2018 12:31am AST