Slashdot Mirror

← Back to Stories (view on slashdot.org)

Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest (bleepingcomputer.com)

Posted by EditorDavid on from the clicking-unlike dept.

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

5 of 295 comments (clear)

  1. Lesson learned for him by Anonymous Coward · · Score: 5, Insightful

    Never try to help souless corporation.

    1. Re:Lesson learned for him by Anonymous Coward · · Score: 5, Insightful

      Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

      People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

      A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

  2. That's embarrassing by bjdevil66 · · Score: 5, Insightful

    That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

    The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.

  3. "Unjust arrent" by Anonymous Coward · · Score: 5, Insightful

    While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

  4. Well then by Anonymous Coward · · Score: 5, Insightful

    I guess security researchers and hackers now learned a lesson.

    Find a bug? Exploit the f**k out of it. Don't bother reporting it.