Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Re:what would of a negative number done?

"would of" How do people still make this mistake? Do you just never read?

Re:Client-side validation?

[Greyfox]

None should, that's not to say they don't. I worked for a company a while back that was dipping its toes into the google web toolkit, which allows you to write your web page's UI in Java and then converts it to Javascript. They ended up doing all their authentication on the client side, so you could just make a web request to the backend and create arbitrary users in any organization in the billing system. That included administrative users. When I reported it, the team writing the code said something to the effect of "You're just making calls to the backend! No one would ever do that!" That attitude is surprisingly prevalent in the industry.

Re:Well then

[Solandri]

No, the current response is the correct one. There are lots of companies out there which will take a bug report, fix the bug, and thank you. Some will even pay you a bounty.

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see because a black guy robbed the local convenience store. The correct response is to single out the responsible criminal / stupid company for reprisal. Like is currently happening to this company.

Re:Devil's advocate

[FeelGood314]

I control the client. It does what ever I want. The Server should have no expectation of my behavior, it just expects a string of 0s and 1s. The server is asking how many tickets I want and how much I should pay for them. This kid pointed out that the server is trusting the client to tell it what the correct price is. The client is being dishonest if it lies about the price but this isn't like changing the price stickers, here the server is actually asking the client for the price and this 18 year old pointed it out. He bought a ticket that he never intended to use to demo the bug. True, his demo might have caused an error in the backend accounting that could have brought down the entire BKK system. That is generally why you ask permission before hacking something, but this seems so trivial that I would give the kid a break and I would expect him to get a thanks.

Re:Devil's advocate

Actually, you need permission of the site to test their security.

I got permission from the site. I asked it for access, and it gave me access. It's not my fault that the human operators of the site never intended for me to have that access, all I know is what the site is letting me have access to.

Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Except the guy in my living room didn't pick my locks, my crazy ex let him in. It's not that guy's fault for not knowing that my crazy ex did not have the authority to give him access to my living room. All he knew was that this person is standing in the doorway inviting him in. And the fact that the crazy ex is a soulless computer shouldn't cause blame to shift to the guy in my living room. It should cause it to shift to me.

Don't report bugs

[Andy+Smith]

I found a similar flaw in a supermarket's self-service tills. Didn't report it for this very reason. I don't purposefully look for bugs/exploits, but if I did spot any more in future then I wouldn't report those either. My heart tells me to report them, but my head tells me no.

Re:Don't report bugs

[martyros]

I found a bug in the website of a company I wanted to order tiles from; but because of the vagaries of the website, I wasn't actually sure it was a bug until I'd placed the order and had it delivered at a 90+% discount.

Normally their prices were placed in £ per square meter, but they sold individual "sample" tiles for a reduced price. In this case I'd ordered a number of sample tiles and then decided the one I wanted. Rather than go through the website and search for the name again, I went to the "My orders" section of the page and clicked the tile I had decided to order. Conveniently, they had a "Order more" button on that page, so I clicked it.

Now, the price per square meter was £30, and the price of a single sample tile was £2.50. When I clicked "Order more", my basket showed a single number ("1") with a unit price of £2.50 -- but no description of what the unit was. I changed the count to 18 (the number of square meters I wanted) and clicked "Update price", and it was set to £45. But was I ordering 18 individual sample tiles for £45 (which would also have been a bug -- you're only supposed to be able to order one at a time), or 18 square meters of tiles? And anyway, surely some check at the other end would stop it if it really were a mistake, right?

Nope. Three days later a palate containing 18 square meters of tiles showed up -- £720 of goods for £45 + shipping.

I was at that point genuinely torn between wanting to DTRT and being afraid of this sort of reaction described in this article. I did write them an email, spinning the whole thing as an accident, and they simply asked me to pay the difference up to the actual price of the tiles, with a 15% discount.

Being well into adulthood rather than a teenager probably helped; as well (probably) as being an actual customer who was purchasing their product, rather than someone clearly identifying themselves as trying to break in to their systems.

Hope they got their website fixed -- the company overall is a good company, and I'd be sad to see them lose money because they were good at tiles and bad at javascript.