Recently, the Budapest Transport Authority (BKK) launched a new online payment system, which took three months to build with the help of T-Systems Hungary.
What the government did not realize was that they got a steaming pile of crap that could easily be exploited by someone’s Facebook quiz-playing grandma.
It turns out that the payment system was extremely poorly coded, allowing anyone with some basic understanding of computers, the ability to exploit the system.
The discovery was first made when a Hungarian teenager figured out that ticket prices could easily be altered by simply using the browser’s Element Inspector (viewable by pressing F12 on the keyboard) and changing the ticket price on the website. As the software had no server-side checks, it took whatever value was on the user’s end as the correct price for tickets.
As proof-of-concept, the 18-year-old boy successfully purchased a ticket at a much lower price after changing the ticket price from 9459 Hungarian forints (US $35) to 50 Hungarian forints (US $0.20). It was also noted that the boy did not live in Budapest, nor did he have intentions of using the ticket, but purchased it just to prove his point.
He reported the issue to BKK via email, but instead of the company trying to clean up their mess, they sent the police for the young white hat. He was arrested just one week later, and BKK went so far as to make a public announcement about a “hacker” being caught, and claiming that their system was secure. Unfortunately for them, this was only the start of a long nightmare.
Real Infosec hackers joined in and tore the site apart, bringing to light many security flaws left behind due to improper coding.
For instance, one security researcher pointed out that the administrator login password was “adminadmin”, and that the CAPTCHA combination was clear as day when they viewed the source code from the browser’s end.
The teenager spoke about the incident via a press conference saying that he merely wanted to highlight the security issue with a demonstration, and that he had no intention of taking advantage of the flaw for his personal gain. He also asked BKK to drop the charges against him.
Once the issue came to public light, there was mass uproar given that the transport company was spending $1 million per year on maintenance costs of its IT systems. They also took to BKK’s Facebook page, rating the service negatively, with over 47,000+ 1 out of 5 star ratings.
When pressed about the situation, BKK’s chairman put full blame on T-Systems Hungary. The IT firm then responded in a non-apologetic manner, saying the following.
I personally feel for the young man concerned, however, I would like to underline that under the given circumstances we had no other option, but to press charges against an unknown offender (as the young man did not contact us). Upon pressing charges, we provided all the information and data available about the involved parties to the authorities for clarification purposes, and shall do so in the future, too. In my capacity as head of T-Systems Hungary, and assuming that the ethical conduct of the young man is ascertained, I would like to offer him the possibility that we cooperate in the future, if he is open to such a cooperation.
The case has revealed that a widely accepted practice of ethical hacking does not exist in Hungary, and partly perhaps due to lack of such, a true consensus has also not evolved, yet. It is time to start the social and professional dialogue addressing “ethical hacking” in Hungary, too, and to establish the relevant legal and regulatory frameworks for the activity. Pursuing this objective, T-Systems shall introduce some relevant initiatives (“bug bounty”) in the near future.
Currently the matter is still pending, and the teenager has chosen to remain mum about the situation until the case is closed.