Hungarian teenager arrested after reporting an exploit in BKK’s train payment system

Bradley Wint
Jul 30, 2017 4:39pm AST
Photo: Flauschmeister_C/Pixabay

Recently, the Budapest Transport Authority (BKK) launched a new online payment system, which took three months to build with the help of T-Systems Hungary.

What the government did not realize was that they got a steaming pile of crap that could easily be exploited by someone’s Facebook quiz-playing grandma.

It turns out that the payment system was extremely poorly coded, allowing anyone with some basic understanding of computers, the ability to exploit the system.

The discovery was first made when a Hungarian teenager figured out that ticket prices could easily be altered by simply using the browser’s Element Inspector (viewable by pressing F12 on the keyboard) and changing the ticket price on the website. As the software had no server-side checks, it took whatever value was on the user’s end as the correct price for tickets.

As proof-of-concept, the 18-year-old boy successfully purchased a ticket at a much lower price after changing the ticket price from 9459 Hungarian forints (US $35) to 50 Hungarian forints (US $0.20). It was also noted that the boy did not live in Budapest, nor did he have intentions of using the ticket, but purchased it just to prove his point.

He reported the issue to BKK via email, but instead of the company trying to clean up their mess, they sent the police for the young white hat. He was arrested just one week later, and BKK went so far as to make a public announcement about a “hacker” being caught, and claiming that their system was secure. Unfortunately for them, this was only the start of a long nightmare.

Get your daily tech burst in your inbox!

Real Infosec hackers joined in and tore the site apart, bringing to light many security flaws left behind due to improper coding.

For instance, one security researcher pointed out that the administrator login password was “adminadmin”, and that the CAPTCHA combination was clear as day when they viewed the source code from the browser’s end.

The teenager spoke about the incident via a press conference saying that he merely wanted to highlight the security issue with a demonstration, and that he had no intention of taking advantage of the flaw for his personal gain. He also asked BKK to drop the charges against him.

Once the issue came to public light, there was mass uproar given that the transport company was spending $1 million per year on maintenance costs of its IT systems. They also took to BKK’s Facebook page, rating the service negatively, with over 47,000+ 1 out of 5 star ratings.

When pressed about the situation, BKK’s chairman put full blame on T-Systems Hungary. The IT firm then responded in a non-apologetic manner, saying the following.

I personally feel for the young man concerned, however, I would like to underline that under the given circumstances we had no other option, but to press charges against an unknown offender (as the young man did not contact us). Upon pressing charges, we provided all the information and data available about the involved parties to the authorities for clarification purposes, and shall do so in the future, too. In my capacity as head of T-Systems Hungary, and assuming that the ethical conduct of the young man is ascertained, I would like to offer him the possibility that we cooperate in the future, if he is open to such a cooperation.

The case has revealed that a widely accepted practice of ethical hacking does not exist in Hungary, and partly perhaps due to lack of such, a true consensus has also not evolved, yet. It is time to start the social and professional dialogue addressing “ethical hacking” in Hungary, too, and to establish the relevant legal and regulatory frameworks for the activity. Pursuing this objective, T-Systems shall introduce some relevant initiatives (“bug bounty”) in the near future.

Currently the matter is still pending, and the teenager has chosen to remain mum about the situation until the case is closed.

Via
Stay in the know

Subscribe to the Try Modern Tech Daily Digest for the latest tech news stories, deals, and how-to's in your inbox!

Founder/Executive Editor
PGP Fingerprint: EF2C 9B80 085C C837 3DA3 995D A864 F801 147F E619 | PGP Key
More From Technology

You can pre-order your gold-plated iPhone X starting at $7,495, with the top model costing $70k

By - Sep 11, 2017 11:06pm AST
With the iPhone X and 8 set to be announced on the 12th, iPhone accessory manufacturers are already busy at work putting the final touches on their cases and other… Continue Reading

Half of U.S. population’s data exposed in huge Equifax data breach

By - Sep 8, 2017 12:39am AST
Equifax, a US-based credit reporting agency, has confirmed that sensitive consumer data belonging to over 143 million customers was compromised earlier this year. According to the official press release, hackers… Continue Reading

YouTube-MP3.org closes under legal pressure

By - Sep 6, 2017 11:42pm AST
Popular stream ripping site YouTube-MP3.org, will finally close its doors after being slammed with a legal complaints by 15 of the top global record labels. The site which allows you… Continue Reading