Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Re: what would of a negative number done?

it would have to told you the correct grammar is:

"What would be the result of changing the price to a negative number"

and then it would have positively fucked your mother

Re: what would of a negative number done?

When being a grammar Nazi, first learn the purpose of shift keys and periods.

Client-side validation?

[whoever57]

Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

Surely no e-commerce site should rely on client-side validation? That seems like asking for trouble.

Re:Client-side validation?

[geoskd]

A network glitch turns this into 128 tickets, and the server charges your card for 128 tickets.

Umm, No.

TCP/IP (specifically the transport layer) handles packet integrity. What gets sent is what is delivered or nothing at all. Client side validation's only purpose is to ensure that the user is informed when they have entered invalid information so that they can correct their mistake. If you are trying to use it any other way, I hope you are not a professional web developer.

...and here's their FB page...

[mpoulton]

...for your own reviewing and commenting enjoyment: https://www.facebook.com/bkkbu...

Some deeper background info concerning incident.

The online ticket selling system in question was developed by the hungarian branch of Germany-based global giant T-Systems group. Although "developed" seems a bit of an exaggeration, since it looks like about half of the system was merely "painted on the wall" in very rough draft code and at an early stage of perparadness, but the whole infrastructure was duressed into live operation prematurely.

The reason for such a hurry was the ongoing FINA 2017 would championship for aquatic sports, which Budapest and Hungary adopted only 2 years ago when the originally chosen host country (Mexico I think?) suddenly balked out. Pool swimming, water polo, sprint kayak are really big in Hungary, so the country was eager to take over, despite the little time left.

Ever since, a huge amount of money was wasted on hurried preparations (including widespread and extremely costly corruption between politicians-bureucrats and construction company owners) and the event's budget skyrocketed to 4x times of the planned, tehreby taking away a lot of money earmarked for public education and the country's single-payer health system.

While Budapest has a dense and well-developed surface mass transport system called BKK (formely BKV), the international airport at Ferihegy (BUD) is not yet served by an underground railway or a light rail link, there is only a stop-at-every-bush articulated bus line for it, which doesn't even reach the city centre.

Considering the FINA 2017 event, another direct-to-city-center bus line was hastily introduced and politics wanted an online tickets / passes selling system for that, so the airport kiosks wouldn't be overwhelmed and look bad on TV news. (The leadership un-realistically expected hundreds of thousands, if not millions of foreign sports fans to visit Budapest for just the event.) Thus the "bright" idea of pressing into service a quarter-to-half ready online merchant system was born...

BTW, the hacker who discovered the price fixing trick lived 300km (190mi) from Budapest and hasn't been to the capital for months, thus his pennys purchase of a name-assinged pass wasn't made maliciously. In fact it was the T-Systems branch, not BKK, which received his bug report and counter-reported him to police, climing their corporate legal policies require such step. Hungarian netizens have been smear-comment flooding the global T-group Facebook page ever since.

Re:Some deeper background info concerning incident

Since I'm a local, let me also add this for the human resources aspect of the story:
Another reason for the hurried introduction of the inscure, unfinished BKK online ticket sales system was that the Mr. Kalman Daboczy, whom the referenced article mentioned by name, is not the original leader of BKK.

Before him there was David Vitezy, an admittedly weird, but very bright, internationally educated jewish boy, who got to form and lead the BKK at a young age, solely due to his family's high political connections yet turned out to be highly motivated. In a few years Vitezy introduced a computerized schedule-control system called FUTAR for over 1500 buses which revolutionized on-timeliness in circulation, a quantum leap from the paper-based BKV era and welcomed by all pax.

He also introduced private sub-contracting for bus line operations with run-time based financing, which brought in hundreds of brand new low floor, low pollution Merc and Volvo vehicles to Budapest, where previously only Cold War era (!) left-over smoking wreckages circulated. He managed to extend the lenght of the city's most important tram line and furnish it with modern rolling stock by successfully claiming EU funds for development, which was considered impossible to get by all parties. He created a public bicycle-sharing system called BUBI from zero and integrated it with BKK. Genius, I'd say.

Eventually Vitezy was sacked from BKK as he tried to reform traffic light patterns and lane use rights to prioritize bus and tram circulation versus private cars, which limousine-riding politicians vetoed. Mr. Daboczy, who replaced him is a "mameluk" i.e. a person whose only skill is loyalty to political superiors in executing orders without questions, including hurtful or stupid ones, and he is without creative talent. Ever since BKK has been stagnating and the city's population eventually questioned why no public transit development happens since Vitezy left? Thus the online ticket selling system was kind of an attempt to show off the new leadership's competence but it backfired spectacularly. The opposition is now demanding Daboczy's removal from BKK due to the scandal.

BTW, when David Vitezy was sacked from BKK, the Port Authority of New York reportedly tried to woo him over to advise on future plans for public transport development in the skyscraper city. He declined to emigrate, probably the mistake of his life, as ever since he has been given mere "desk by the window" roles in Hungary. I'd say if he'd left for USA, maybe in 15 years he could have been properly groomed in America and come back as a potential future PM of Hungary. That, provided the russians don't conquer our country again in the meanwhile...

Re:Well then

[houghi]

Several years ago I found childporn and reported it to both police and the ISP.
ISP was not allowed to do anything by order of the police, even if they already know who placed it there. The police called my company (from where I had done the report) to ask for my data and told them it was concerning an investigation about childporn.
When I was helpful and went to them they tried to get me for:
1) Obstruction of the law, because I informed the press after a week, because the site was still up and they where working on it.
2) Fraude, because I had given a fake address at the free email company
3) Spreading of childporn, because I had done a reply on Usenet and had forgotten to remove the URL

I am happy that my company was understanding and I did not lose my job.

Since then I have NEVER seen anything remotely illegal on the Interwebs, ever. If I would I would obviously report it, but somehow since that 15 years ago, it seems as if there is nothing illegal going on online. Really absolutely nothing. Weird.

Re:Devil's advocate

[DontBeAMoran]

Or you could expand that to "Trust no one".

Mulder was right.