Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Lesson learned for him

Never try to help souless corporation.

Re:Lesson learned for him

Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

Re:Lesson learned for him

[AmiMoJo]

This is much worse. CNN didn't go through with its threat.

That's embarrassing

[bjdevil66]

That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.

"Unjust arrent"

While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

Re:"Unjust arrent"

Wrong.
That is shitty "neutrality", instead of objectivity.
Some things really are black and white, where there is a clearly correct side.

Well then

I guess security researchers and hackers now learned a lesson.

Find a bug? Exploit the f**k out of it. Don't bother reporting it.

Re:I know this will be an unpopular opinion, but..

[Stormwatch]

No, a better analogy is: the store forgot a price sticker printer in the shelf, so any client could just get it and print new prices freely. This kid found the printer and took it to the cashier, and rather than getting thanked, he got accused of stealing the printer.

Re:Devil's advocate

[stephanruby]

I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Even if that's true, that thinking doesn't explain why the kid would report it as a bug.

No, the only possible reason to call the police is if the books didn't reconcile at the end of the night and no one had read the bug report submitted by the kid yet (or may be someone read it, but had not told Kalman yet). That's the only possible justification.

And yet, that doesn't seem like this is what happened (at least, the article makes no mention of that possibility). So if Kalman Daoczi really did call the police after having read the bug report, he should be arrested himself for filing a false police report and wasting the police's time. Calling the police after someone has immediately turned them self in is a vindictive action and a complete waste of police resources.

Re: Devil's advocate

No, this was more like someone leaving a note for me that my door was wide open.

Re:Devil's advocate

[TheReaperD]

Except, he did not hack their site. He did not penetrate any servers, exploit any passwords or do anything to their systems. What he did do was make a change to his web browser that altered the price of the ticket and because their systems are designed so badly that it changed the price of the actual ticket so he could set his own price for tickets. All without having to hack their servers. This was allowed to happen because the company disregarded one of the first rules of IT security: Never trust the client to enforce security. In reality, this statement can probably be shortened to "Never trust the client."

Re:Devil's advocate

[Midnight+Thunder]

To use the restaurant analogy, it would be cool if the waitress accepted any price I give her for the meal, but it would probably be shoddy business. Oh, it wasn't normal operating procedure? The waitress accepted it, but now I am being accused of hacking the waitress. How about training her properly to not accept everything the client talks her?