Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Lesson learned for him

Never try to help souless corporation.

Re:Lesson learned for him

[ma1wrbu5tr]

Seems like they just CNNed themselves. Bwahahaha!

Re:Lesson learned for him

Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

Re:Lesson learned for him

[AmiMoJo]

This is much worse. CNN didn't go through with its threat.

Re:Lesson learned for him

[Gondola]

Something similar happened to me in college 20 years ago. I reported that they had an insecure network mount, and they gave me a written warning that went on my record, and almost banned me from the computer services entirely -- which would have made writing papers and doing research impossible since I didn't have them at home.

This is why people aren't nice to each other.

Re:Lesson learned for him

[Atrox+Canis]

Either you forgot your /s at the end or you didn't recognize that "white-hate" was a typo for "white-hat".

Re:Lesson learned for him

[erapert]

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

Ayn Rand, is that you!? We all thought you were dead! How did you--? I mean, seriously, we thought you were dead!

Re:Lesson learned for him

[eric_harris_76]

Never try to help souless corporation.

Unless I'm misinterpreting "Budapest's public transportation authority" or this is a mistranslation, we're talking a government agency, or a business enterprise wholly owned by a government or set of governments.

Not a corporation in the usual sense of a company with stockholders who can sell their shares, but more like a "corporation" such as the FDIC or FSLIC.

Re: what would of a negative number done?

it would have to told you the correct grammar is:

"What would be the result of changing the price to a negative number"

and then it would have positively fucked your mother

Re:what would of a negative number done?

"would of" How do people still make this mistake? Do you just never read?

That's embarrassing

[bjdevil66]

That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.

Re:That's embarrassing

[edtice1559]

This could just as well be a US government agency so maybe it's just how all government tends to work. It's stories like this that make me more sympathetic to the anti-government crowd.

Re:That's embarrassing

[Sique]

The manager who authorized that embarrassment was the owner of the shop himself. So he has to fire himself.

Re:That's embarrassing

[martinfb]

I'm pretty sure those incompetent managers had something to do with that open fly!

"Unjust arrent"

While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

Re:"Unjust arrent"

Proper journalism also checks headlines.

Re:"Unjust arrent"

Wrong.
That is shitty "neutrality", instead of objectivity.
Some things really are black and white, where there is a clearly correct side.

Re:"Unjust arrent"

[thsths]

Proper journalism is less profitable than click bait, and therefore not well represented on Slashdot.

Devil's advocate

[FeelGood314]

This company has no clue how eCommerce works. They actually are double handy capped in that they don't even know what they don't know so they likely had a false sense of thinking they actually did understand things. If you use the website as intended you can't change the price. I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Kálmán Dabóczi, BKK, the police and the judge who issued the warrant all owe this kid a big apology. However, not everyone can understand everything and it is reasonable to expect that sometimes you will get unlucky and get a company and a few members of the police who have almost zero understanding of a subject and make a stupid mistake. The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib. Hopefully they were professional about the entire thing. Kálmán Dabóczi has likely learned a very hard lesson so let him apologize and get to work. He now has a pile of free penetration results to deal with and possible the job of selecting a new supplier for the website.

Re:Devil's advocate

[Luthair]

Actually, you need permission of the site to test their security. Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Re:Devil's advocate

[stephanruby]

I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Even if that's true, that thinking doesn't explain why the kid would report it as a bug.

No, the only possible reason to call the police is if the books didn't reconcile at the end of the night and no one had read the bug report submitted by the kid yet (or may be someone read it, but had not told Kalman yet). That's the only possible justification.

And yet, that doesn't seem like this is what happened (at least, the article makes no mention of that possibility). So if Kalman Daoczi really did call the police after having read the bug report, he should be arrested himself for filing a false police report and wasting the police's time. Calling the police after someone has immediately turned them self in is a vindictive action and a complete waste of police resources.

Re:Devil's advocate

[FeelGood314]

I control the client. It does what ever I want. The Server should have no expectation of my behavior, it just expects a string of 0s and 1s. The server is asking how many tickets I want and how much I should pay for them. This kid pointed out that the server is trusting the client to tell it what the correct price is. The client is being dishonest if it lies about the price but this isn't like changing the price stickers, here the server is actually asking the client for the price and this 18 year old pointed it out. He bought a ticket that he never intended to use to demo the bug. True, his demo might have caused an error in the backend accounting that could have brought down the entire BKK system. That is generally why you ask permission before hacking something, but this seems so trivial that I would give the kid a break and I would expect him to get a thanks.

Re:Devil's advocate

[FeelGood314]

Kálmán Dabóczi was the manager of BKK. You are correct though that he might not have personal been apart of this. It could have just been employees of BKK and this never filtered up to him.

Re: Devil's advocate

No, this was more like someone leaving a note for me that my door was wide open.

Re:Devil's advocate

Actually, you need permission of the site to test their security.

I got permission from the site. I asked it for access, and it gave me access. It's not my fault that the human operators of the site never intended for me to have that access, all I know is what the site is letting me have access to.

Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Except the guy in my living room didn't pick my locks, my crazy ex let him in. It's not that guy's fault for not knowing that my crazy ex did not have the authority to give him access to my living room. All he knew was that this person is standing in the doorway inviting him in. And the fact that the crazy ex is a soulless computer shouldn't cause blame to shift to the guy in my living room. It should cause it to shift to me.

Re: Devil's advocate

[KGIII]

Instead of a thanks, they could have offered him a job, money, or help to further his education.

Re:Devil's advocate

[fafalone]

The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib.

They would have, had this taken place in the US (or, tellingly, a 3rd world totalitarian state) instead of Hungary. If little Bou Bou gets a flashbang in his crib because they're looking for someone with petty non-violent drug charges, and shooting dogs is the police's favorite sport (one cop has shot 60 himself now)... imagine an evil computer hacker interfering with an American company and their God-given right to earn profit, a far more serious offense.

Re:Devil's advocate

[turbidostato]

"KÃlmÃn DabÃczi was the manager of BKK. You are correct though that he might not have personal been apart of this. It could have just been employees of BKK and this never filtered up to him."

Sure. The employees call the police over a non-urgent company issue without before rising it to management.

In Hungary.

Re:Devil's advocate

[TheReaperD]

Except, he did not hack their site. He did not penetrate any servers, exploit any passwords or do anything to their systems. What he did do was make a change to his web browser that altered the price of the ticket and because their systems are designed so badly that it changed the price of the actual ticket so he could set his own price for tickets. All without having to hack their servers. This was allowed to happen because the company disregarded one of the first rules of IT security: Never trust the client to enforce security. In reality, this statement can probably be shortened to "Never trust the client."

Re:Devil's advocate

[SimonTheSoundMan]

Car analogies only at /. please!

This is like a car dealership putting the price of the car on the outside of the windscreen, you go up to the car and changed the ticketed price by changing the price form £9,000 to £8,000 by joining the 9 up. You then go tot he salesman and purchase the car at the price you changed it to, salesman sell it to you at that price. You later tell the dealership they should put their pricing behind the glass in the locked car so the price cannot be manipulated.

Re:Devil's advocate

[Dog-Cow]

And "never trust the client" can be shortened to "never trust". When it comes to security, anyway.

Re:Devil's advocate

[DontBeAMoran]

Or you could expand that to "Trust no one".

Mulder was right.

Re:Devil's advocate

[Midnight+Thunder]

To use the restaurant analogy, it would be cool if the waitress accepted any price I give her for the meal, but it would probably be shoddy business. Oh, it wasn't normal operating procedure? The waitress accepted it, but now I am being accused of hacking the waitress. How about training her properly to not accept everything the client talks her?

Re:Devil's advocate

[Luthair]

You could make the same argument about any network request you craft.

Re:Devil's advocate

[edtice1559]

And what purpose would it be for the client to present a price? If you have to calculate it anyway? And what do you do if the two don't match? All you're adding here is complexity. I can see having the client *calculate* a price for experience reasons. i.e. a page where I indicate 2 adults and 1 child and JavaScript updates an estimated total. But there should *always* be an order confirmation screen with a price calculated by the server and presented back. You don't need to submit the result of the client-side calculation to generate this page. In the best case you're wasting a trivial amount of bandwidth. In the worst you're introducing needless complexity. Sorry but I don't see any good reason for this.

Re:Devil's advocate

[edtice1559]

More interesting, what happens if I use a browser that doesn't respect the read-only field or if I show a trivial amount of sophistication and just submit my own POST request. Does the server accept the changes? If this is just a cosmetic issue, that's no so bad. If the data can actually be altered with minimal effort, you should ask for your money back!

Re:Devil's advocate

[edtice1559]

It's a good analogy, but don't try this at home. It's possible that one or both of you could get prosecuted. No, I'm not a lawyer. If for no other reason, the waitress could lie and say you left without paying and she never agreed to the alternate price. Unless you have it in writing, I wouldn't want to face a judge saying that the waitress agreed to give me a discount.

Re:Devil's advocate

[hattig]

The judge was probably told 'hacker!!!', the police didn't know better. The business needs to apologise profusely (although if they refuse to fix their systems, they'll soon run out of money from people abusing it, or people avoiding them).

All the kid did was the equivalent of changing the price on a paper order form before sending it to the business.
He did not access any of their systems.
It is not his fault that their systems blindly accept the price he changed.

Intent is key in these things, and as reporting the issue can clearly show no malicious intent, there should be no case. But hey, crappy country, anything involving police, angry embarrassed business, who knows...

Re:Devil's advocate

[nephilimsd]

Have you learned nothing from your literature classes? Trusting No One is exactly what got the cyclops blinded!

Re:Devil's advocate

[Ironlenny]

But I want to believe.

Re:Devil's advocate

[DontBeAMoran]

The truth is out there. You just have to find it.

Re:Devil's advocate

[mattack2]

And "never trust the client" can be shortened to "never trust". When it comes to security, anyway.

You're "trusting" that your CPU is calculating the math to verify the cryptographic signature correctly.

Re:Devil's advocate

[PatientZero]

But if you take the item with the original price sticker to checkout, and the person asks what price you would like to pay...

Either the shop owner is horrible at training and needs to sell the business if it hasn't gone under already, or they need to retrain/fire the clerk. No other store does this so I don't know why the clerk would think it reasonable.

Is that theft?

Of course not. The clerk asked you, and you answered. It was a dumb question to begin with and certainly not your fault.

But more importantly, who is at fault?

The shop owner is at fault for poor training or hiring an untrustworthy clerk. Given that I can think of no reason a clerk should think this a reasonable question to ask customers, it's probably their fault unless the shop keeper specifically trained them to do so. But if that's the case, obviously there is no problem as it was intended. Again, you'd be out of business as soon as word got out.

You argue the customer is at fault, for simply answering a question they were asked.

No, I don't that at all. The website isn't asking the customer how much they would like to pay. It's presenting the price to be paid (the sticker), and the customer is changing that price (with a counterfeit sticker), and the site is trusting that the price is the same as what it sent to the client. Most clerks would be trained to apply brain power to decide if the sticker is correct, and you'd be an idiot not to have your server do the same thing in 2017, something it could do with 100% accuracy and minimal development effort.

But that doesn't make it acceptable any more than applying counterfeit price stickers in a brick-and-mortar store would be.

I argue the customer is NOT at fault, again because there is no reason to expect a store to do this if that wasn't their intention.

Online stores have no expectation that their shopping cart will work the way they implemented it? That's a tough sell. Do you think they also expect their site navigation links to fail and their images not to load? If so, can you please email my boss and tell him that all those bug tickets the QA team submitted last week are invalid because we should have no expectation that our code works.

You're equating trusting that the data sent from the server was not altered by the client with a cashier ignoring the price stickers and asking every single customer what price they'd like to pay. Those simply aren't the same case—not even close. The end result may be the same, but that would apply to having the stocker attach the wrong prices to the products. I think we can both agree that would be the fault of the store owner or stocker, using the same reasoning I laid out above.

Re:Devil's advocate

[dddux]

What kind of understanding do you need to imprison a person who helps you with something? ;)

Well then

I guess security researchers and hackers now learned a lesson.

Find a bug? Exploit the f**k out of it. Don't bother reporting it.

Re:Well then

[Solandri]

No, the current response is the correct one. There are lots of companies out there which will take a bug report, fix the bug, and thank you. Some will even pay you a bounty.

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see because a black guy robbed the local convenience store. The correct response is to single out the responsible criminal / stupid company for reprisal. Like is currently happening to this company.

Re: Well then

Wait, in your analogy, you've painted the corporation as the poor black guy getting lynched?

Re: Well then

Lynching is, by definition, illegal.

Not if the person being lynched is black.

Re:Well then

[Uberbah]

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see

Wow. Where any shrooms involved in the formation of this analogy? Why don't you go pay a visit to Eric Garner's family and tell them that taking advantage of a web site's shitty security to get cheap tickets is just like their dad being strangled to death on the street. You might wanna bring a cup and a mouth guard.

Re: Well then

The analogy doesn't make sense at all. It was modded +5 by idiots. The analogy can't even be easily changed into a form that does make sense.

Neither does the conclusion. The person reporting the vulnerability got lucky that his case went viral this time. The next might rot away in prison. There is no way to tell in advance and thus no way to justify always "doing the right thing" by disclosure. You might end up in handcuffs. You might not. Even if the case is dropped you will likely be out of a job and find it very difficult to find another because your name was in the news as being a criminal. On the other hand, you could exploit the vulnerability all you want, get away with it thanks to the same inept team that made it possible, and profit from it. As a third option, choose to do nothing. No reward and no punishment.

Which choice would a sane person make? Not the first one.

Re:Well then

[AmiMoJo]

My policy is to report the bug if the company has a reasonable looking bug bounty programme. Such a programme demonstrates that they probably have the right attitude, and even if it's just a trap you can point to it in court as evidence of your good faith.

If there is no bug bounty programme I'll either ignore it or report it anonymously to a relevant mailing list. If the company has a contact email address (not a web form) then I'll CC them in.

Anything else is too risky. If you want responsible disclosure, be open about it, set up a proper mechanism and offer at least a token amount of cash.

Re:Well then

[houghi]

Several years ago I found childporn and reported it to both police and the ISP.
ISP was not allowed to do anything by order of the police, even if they already know who placed it there. The police called my company (from where I had done the report) to ask for my data and told them it was concerning an investigation about childporn.
When I was helpful and went to them they tried to get me for:
1) Obstruction of the law, because I informed the press after a week, because the site was still up and they where working on it.
2) Fraude, because I had given a fake address at the free email company
3) Spreading of childporn, because I had done a reply on Usenet and had forgotten to remove the URL

I am happy that my company was understanding and I did not lose my job.

Since then I have NEVER seen anything remotely illegal on the Interwebs, ever. If I would I would obviously report it, but somehow since that 15 years ago, it seems as if there is nothing illegal going on online. Really absolutely nothing. Weird.

Re:Well then

[apoc.famine]

Make an infographic of how to do it, and post it to 4chan. The company will find out they have an issue in no time if you do that!

Re:Well then

[edtice1559]

I could never recommend exploiting a found defect. Its unethical and really the reason that we have to have laws. Obtaining free tickets this way isn't really much different than shaking them out of a vending machine (assuming you don't damage the machine). But if a company doesn't have an established bug bounty program, I would *never* contact them with a defect report. I would definitely sell it on one of the markets for these. It's just less risky. Until there are laws protecting people who report bugs, it's just not a safe activity. If there's a bug bounty in place that's somewhat of a contract (IANAL) and means that the recipient is interested in handling defect reports correctly. Not a legal shield but at least something. If there's nothing in place, reporting honestly is a fool's errand.

Client-side validation?

[whoever57]

Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

Surely no e-commerce site should rely on client-side validation? That seems like asking for trouble.

Re:Client-side validation?

[DivineKnight]

But JavaScript can do anything!

Re:Client-side validation?

[Greyfox]

None should, that's not to say they don't. I worked for a company a while back that was dipping its toes into the google web toolkit, which allows you to write your web page's UI in Java and then converts it to Javascript. They ended up doing all their authentication on the client side, so you could just make a web request to the backend and create arbitrary users in any organization in the billing system. That included administrative users. When I reported it, the team writing the code said something to the effect of "You're just making calls to the backend! No one would ever do that!" That attitude is surprisingly prevalent in the industry.

Re:Client-side validation?

[geoskd]

A network glitch turns this into 128 tickets, and the server charges your card for 128 tickets.

Umm, No.

TCP/IP (specifically the transport layer) handles packet integrity. What gets sent is what is delivered or nothing at all. Client side validation's only purpose is to ensure that the user is informed when they have entered invalid information so that they can correct their mistake. If you are trying to use it any other way, I hope you are not a professional web developer.

Re:Client-side validation?

[gravewax]

You should not rely on it but you definitely should use it. Client side validation is something you use to help pre filter information that is going to be rejected by your server and can be very handy, e.g. users setting a username or password or even an address, if the format is invalid and will be rejected server side then you may as well save the server the processing time.. You don't use it as a security mechanism though!

Re: Client-side validation?

[guruevi]

No it doesn't. It handles error correction/detection and even then, very weakly which is why most systems have more error detection both in higher and lower layers. You cannot assure data integrity in TCP (or IP), that's handled very much above those layers, typically in application.

Re:Client-side validation?

[gravewax]

TCP/IP provides some very basic integrity, sequence, error control and delivery checks. Though their are many holes in the protocol that mean you cannot rely upon it for integrity, data validation must be done at other layers or in the application itself as the TCP/IP layer does NOT handle anything but the very basics of packet integrity, it is extremely easy to change a packet in ways that it will pass all its TCP integrity checks.

Re:Client-side validation?

[gl4ss]

.. not really.

no amount of client side checking fixes the problem that the customer can alter anything that happens client side.

what you're describing is some sort of crc/data integrity check which doesn't really help you with if the data is on purpose wrong.

Re:Client-side validation?

[gl4ss]

If you were a professional developer working in this area you would know, just because you a foul mouthed whiny little kid in your mothers basement isn't a reason to spoon feed you. Go do some basic research if you are interested and learn about the limitations inherent in the TCP checksums, this isn't some mythical hidden or difficult to find information, stop being lazy and educate yourself rather than bitching about others.

maybe you dumb fucks don't understand that even this site probably used https and how many layers of crc checking do you really need?

I mean the issue at hand was trusting information that comes from the client side. integrity checking that information does not help at all when what was missing was SANITY CHECKS. integrity of the data was JUST FINE.

seriously.

you guys sound like the kind of dumb fucks who think that adding a signature that is done at the client end into a http post adds ANY SECURITY WHATSOEVER when what you really would need to do is to sanity check the input - not that it has a matching hash to the data the client end sent on purpose.

seriously, I have seen in the industry people actually think that if you do that then only your client app can send data - when they are giving that client app to whoever user to analyze. it doesn't apply just to web pages....

Re:Client-side validation?

[AmiMoJo]

Last week another company set up an FTP server for one of our older products to send data to. I know, FTP, but this thing predates my joining the company and it does actually work quite well. Anyway, they were having trouble so we logged in and found ourselves dumped into the root of their Linux server. We could see everything and seemed to be running at root.

I emailed them about it and they said it was fine because the machine was "isolated".

Re:Client-side validation?

[edtice1559]

This is not a function for client-side validation. This is what a confirmation page is for. The server repeats the data back and the client then hits accept. Now there is no risk of communication issue even with corrupt data. Listen to air traffic control sometime. The pilots always repeat back instructions. Same principle. The pilots don't make their own ATC decisions. And this is a very apt analogy because humans communicating over radio frequency do get a lot of corrupted data.

Re:Client-side validation?

[gravewax]

No names and addresses can't be anything in all systems at all. many have restricted characters, e.g. your address can't contain ^*$~? etc, or sometimes multi byte characters if your site doesn't support it. Many have very specific requirements for addresses in that they must be resolvable. Names are exactly the same.

This is cute and all

[rsilvergun]

I'd be more impressed if the facebook hive mind did something about this.

...and here's their FB page...

[mpoulton]

...for your own reviewing and commenting enjoyment: https://www.facebook.com/bkkbu...

Re:I know this will be an unpopular opinion, but..

[Stormwatch]

No, a better analogy is: the store forgot a price sticker printer in the shelf, so any client could just get it and print new prices freely. This kid found the printer and took it to the cashier, and rather than getting thanked, he got accused of stealing the printer.

Re: I know this will be an unpopular opinion, but.

How would he know that the flaw existed at all, if he hadn't tried it and found that it worked? It's not like he cashed in on it; he merely and duly reported it. No, the company's actions were maximally counterproductive.

Only apps can app apps!

If this LUDDITE company used modern appy app apps instead of LUDDITE software, then LUDDITE hackers wouldn't be able to hack the app! Only apps can app apps!

Apps!

Re: Only apps can app apps!

[KGIII]

Off topic, I know, but I like apps guy. I miss the cows guy.

I know, some don't like them. However, they are a part of what makes this site what it is.

Re: Only apps can app apps!

[Highdude702]

apps guy is the best so far IMO, unfortunately he misses a lot of golden opportunities lately. Maybe he himself is getting tired of the same ol dribble on slashdot.

Re: Only apps can app apps!

[RavenLrD20k]

All your base are belong to me.

Re: Only apps can app apps!

[RavenLrD20k]

I know what the real phrase is. I just don't like sharing.

Re: Only apps can app apps!

[TechyImmigrant]

And while too inarticulate to make his point well, I would agree with apps guy's hate for a couch that can only be adjusted by smartphone.

There's an app for that.

Re:I know this will be an unpopular opinion, but..

[Dutch+Gun]

We don't need a bad analogy or two to understand this. The kid saw an exploitable flaw, let the company know in a responsible manner, and was punished for it. Other companies would thank him, and perhaps even pay him a bug bounty for his trouble, because he just did them a huge favor. This is not anything unprecedented in the modern world. Only the backwards and punitive reaction is.

This reaction represents the mindset of companies from decades ago, where they thought that security through obscurity was a valid methodology. All it does it discourage white hats from disclosing bugs. The black hats will gleefully exploit the flaws they discover.

Re: what would of a negative number done?

[KGIII]

"should of"

Subtle. I like it.

He should have _increased_ the price

[gweihir]

That way, no accusation of getting financial gain from the "hack" would have been possible.

As to the site, these people are the worst of the worst of incompetents. Even an ElCheapo pen-test would have found that problem. Likely the hugely inflated price for system maintenance goes to some equally incompetent and thoroughly corrupt friend or relative of the CEO and that would also explain the brain-dead reaction.

Re:He should have _increased_ the price

[gweihir]

That test he should have done in a fashion they could not have traced back to him. What he should have given them in evidence (clearly attributable to him) should have had him paying more. The problem is that making a hacking charge stick is a lot easier if the hacker gained something, however small.

Re:He should have _increased_ the price

[jabuzz]

Buy a dated ticket don't use it and keep it, then report the bug *AFTER* the dated ticket has expired.

Re: what would of a negative number done?

[KGIII]

At least twice, because I know I'm not his father.

I couldn't resist.

Don't report bugs

[Andy+Smith]

I found a similar flaw in a supermarket's self-service tills. Didn't report it for this very reason. I don't purposefully look for bugs/exploits, but if I did spot any more in future then I wouldn't report those either. My heart tells me to report them, but my head tells me no.

Re:Don't report bugs

[martyros]

I found a bug in the website of a company I wanted to order tiles from; but because of the vagaries of the website, I wasn't actually sure it was a bug until I'd placed the order and had it delivered at a 90+% discount.

Normally their prices were placed in £ per square meter, but they sold individual "sample" tiles for a reduced price. In this case I'd ordered a number of sample tiles and then decided the one I wanted. Rather than go through the website and search for the name again, I went to the "My orders" section of the page and clicked the tile I had decided to order. Conveniently, they had a "Order more" button on that page, so I clicked it.

Now, the price per square meter was £30, and the price of a single sample tile was £2.50. When I clicked "Order more", my basket showed a single number ("1") with a unit price of £2.50 -- but no description of what the unit was. I changed the count to 18 (the number of square meters I wanted) and clicked "Update price", and it was set to £45. But was I ordering 18 individual sample tiles for £45 (which would also have been a bug -- you're only supposed to be able to order one at a time), or 18 square meters of tiles? And anyway, surely some check at the other end would stop it if it really were a mistake, right?

Nope. Three days later a palate containing 18 square meters of tiles showed up -- £720 of goods for £45 + shipping.

I was at that point genuinely torn between wanting to DTRT and being afraid of this sort of reaction described in this article. I did write them an email, spinning the whole thing as an accident, and they simply asked me to pay the difference up to the actual price of the tiles, with a 15% discount.

Being well into adulthood rather than a teenager probably helped; as well (probably) as being an actual customer who was purchasing their product, rather than someone clearly identifying themselves as trying to break in to their systems.

Hope they got their website fixed -- the company overall is a good company, and I'd be sad to see them lose money because they were good at tiles and bad at javascript.

Re:Don't report bugs

[houghi]

These things happen. We had an item for sale where you would get another item for free. You would then have 2 items in your basked. You could delete the one item you had to pay for and thus receive the other item for free (+ shipping). So we cursed a bit, honored the orders and put it in as cost of doing business.

Notb that much different as having the wrong price in the store. Things happen. Does not mean they will have to honor it if the standard price is 10.000 and they put it up by accident as 10, because that should be obvious as being an error.

Re: Impersonating me? Please... apk

[KGIII]

Can confirm that APK predates the Android packages.

Re: Impersonating me? Please... apk

[omnichad]

But never got asked out on a second date.

Legislation needed?

[seoras]

I'm not one for advocating laws but looking at this and seeing the obvious effect it's going to have on white hat security vigilantes (saying nothing or being turned grey/black hat by corporate, egotistical, twats covering their own arse) the only solution seems to be to create laws to protect the white hats.
Laws like those which protect freedom of press and speech.
If you haven't benefited from your discovery and research then you can't be prosecuted.
Instead of reporting to the corporation report to a government watch dog who covers for you.
Better still fine the corporations to fund the watch dog and pay out a bug bounty.

I don't report bugs

[buss_error]

I don't report bugs to the company. I may report it to their ISP, but usually I don't bother in the sense I don't go looking for bugs.

I don't know, but isn't there a bug reporting system that will allow anonymous communication? If not, maybe that's something CERT could look into sponsoring.
Sort of like the old abuse.net system, where you could register "Hey, this is where we take spam reports seriously." That way the clued in sites will let the whitehats know their reports are taken seriously, and the white hats know they at least have a simi-clued in contact and won't let slip the dogs of war because there's something wrong.

Again, all I'm interested in are my own sites, and I'll hardly dox myself.

Re:I don't report bugs

[Dread_ed]

No, there's still just the two. Though they are owned by the same family...

Re:Still upset I burnt you on hosts?

[omnichad]

Wait...did you just link to a post where I proved you wrong? Why? DNS amplification attacks use DNS servers to attack YOU - whether you use DNS resolution or not.

45001 now

[omar_armas]

With my vote.

Security Researcher?

[GodfatherofSoul]

I haven't been on Slashdot much lately, but is that the new euphemism for hacking?

The simple rule is don't poke around someone else's defenses and then get mad when they treat you as a threat. How would you feel if someone told you "Hey, I've been trying to break into your house lately and just realized your bedroom window is unlocked!" ?

Re:Security Researcher?

[Sabriel]

A lot less appreciative than if they'd told me "Hey, sorry, I have an obsessive-compulsive disorder about checking locks and yours aren't working."

One is a burglar in search of a Darwin Award, the other is a good samaritan in need of therapy; having the police arrest the latter is the act of an asshole.

Re:Security Researcher?

[LoneTech]

No, it's not new, and this isn't poking around in defenses, simply because there was a complete absence of defenses. The programming terms for the missing class of checks are input validation and sanitation.

This was the equivalent of someone handing you an order form where you fill in both price and quantity, you filling in the wrong price and handing it back, then them reading your price and going with that, no comments. And after you instead of using the incorrectly priced service told them they should perhaps check against their catalog prices, they sent the police after you. Note that until the subject was brought up they had no clue of either how many or how severe these mismatches had been, nor was there any indication why they happened. The only confirmed case was also one where no service was used and thus no loss was involved.

To make your analogy more fitting, the other day a neighbour walked up to my door and called in "hello, did you forget to close the door?" because it was ajar. My visitor had indeed failed to pull it shut. Nobody was jostling my fourth floor bedroom window. The purpose of the door is to let people in; I had opened the door to let someone in; and I was alerted that perhaps it was open for more than I had planned.

The adage for this type of behaviour is shooting the messenger.

Re:Security Researcher?

[Dread_ed]

Not a good analogy at all. He wasn't in someone else's house. Nor on their porch, nor their property.

Everything he modified was on his computer. They dropped a bunch of stuff into his browser, he modified it on his end, and they loaded the info from his computer back into theirs and took it as true.

That is not at all similar to breaking and entering. In your analogy he never left his own house.

Can I get that on Credit?

[Nabeel_co]

Since they are so insistent on their system being secure when it clearly isn't, wouldn't it be funny if someone sold themselves a ticket with a negative value attached, thereby crediting themselves a large sum of money?

Re:Can I get that on Credit?

[Hal9000_sn3]

Didn't Amazon have a similar flaw for quite a while? A negative number in the quantity would credit you back, if I remember correctly. http://www.youtube.com/watch?v...

in Bulgaria

[D,Petkow]

the subway token system can get EASILY hacked -i.e. you pay for 5 rides and they never "expire". This is all documented in a public website by a programmer dude who discovered it. Nobody did anything it has been like that for years, apparently. I suspect people could be even selling fake prepaid tickets etc. It's just Bulgaria in general country is so corrupt on all levels, that a scam of such magnitude is not threaded as something serious lmao Millions of EU funded money get laundered and stolen into corrupt politicians's own pockets. In Bulgaria the average salary is 400 euro, but you see Brabus and AMG Mercedes S 600 and Bentleys and Panameras everywhere all day...

Re:I know this will be an unpopular opinion, but..

[91degrees]

It's only natural, when finding a bug, to test it and confirm that it is a bug. If a front door is unlocked, you might reasonably push on it, poke your head in and shout "is anyone home?". And then leave a note on the doormat.

I'd say he did the minimal possible to confirm there was a problem.

Some deeper background info concerning incident.

The online ticket selling system in question was developed by the hungarian branch of Germany-based global giant T-Systems group. Although "developed" seems a bit of an exaggeration, since it looks like about half of the system was merely "painted on the wall" in very rough draft code and at an early stage of perparadness, but the whole infrastructure was duressed into live operation prematurely.

The reason for such a hurry was the ongoing FINA 2017 would championship for aquatic sports, which Budapest and Hungary adopted only 2 years ago when the originally chosen host country (Mexico I think?) suddenly balked out. Pool swimming, water polo, sprint kayak are really big in Hungary, so the country was eager to take over, despite the little time left.

Ever since, a huge amount of money was wasted on hurried preparations (including widespread and extremely costly corruption between politicians-bureucrats and construction company owners) and the event's budget skyrocketed to 4x times of the planned, tehreby taking away a lot of money earmarked for public education and the country's single-payer health system.

While Budapest has a dense and well-developed surface mass transport system called BKK (formely BKV), the international airport at Ferihegy (BUD) is not yet served by an underground railway or a light rail link, there is only a stop-at-every-bush articulated bus line for it, which doesn't even reach the city centre.

Considering the FINA 2017 event, another direct-to-city-center bus line was hastily introduced and politics wanted an online tickets / passes selling system for that, so the airport kiosks wouldn't be overwhelmed and look bad on TV news. (The leadership un-realistically expected hundreds of thousands, if not millions of foreign sports fans to visit Budapest for just the event.) Thus the "bright" idea of pressing into service a quarter-to-half ready online merchant system was born...

BTW, the hacker who discovered the price fixing trick lived 300km (190mi) from Budapest and hasn't been to the capital for months, thus his pennys purchase of a name-assinged pass wasn't made maliciously. In fact it was the T-Systems branch, not BKK, which received his bug report and counter-reported him to police, climing their corporate legal policies require such step. Hungarian netizens have been smear-comment flooding the global T-group Facebook page ever since.

Re:Some deeper background info concerning incident

Since I'm a local, let me also add this for the human resources aspect of the story:
Another reason for the hurried introduction of the inscure, unfinished BKK online ticket sales system was that the Mr. Kalman Daboczy, whom the referenced article mentioned by name, is not the original leader of BKK.

Before him there was David Vitezy, an admittedly weird, but very bright, internationally educated jewish boy, who got to form and lead the BKK at a young age, solely due to his family's high political connections yet turned out to be highly motivated. In a few years Vitezy introduced a computerized schedule-control system called FUTAR for over 1500 buses which revolutionized on-timeliness in circulation, a quantum leap from the paper-based BKV era and welcomed by all pax.

He also introduced private sub-contracting for bus line operations with run-time based financing, which brought in hundreds of brand new low floor, low pollution Merc and Volvo vehicles to Budapest, where previously only Cold War era (!) left-over smoking wreckages circulated. He managed to extend the lenght of the city's most important tram line and furnish it with modern rolling stock by successfully claiming EU funds for development, which was considered impossible to get by all parties. He created a public bicycle-sharing system called BUBI from zero and integrated it with BKK. Genius, I'd say.

Eventually Vitezy was sacked from BKK as he tried to reform traffic light patterns and lane use rights to prioritize bus and tram circulation versus private cars, which limousine-riding politicians vetoed. Mr. Daboczy, who replaced him is a "mameluk" i.e. a person whose only skill is loyalty to political superiors in executing orders without questions, including hurtful or stupid ones, and he is without creative talent. Ever since BKK has been stagnating and the city's population eventually questioned why no public transit development happens since Vitezy left? Thus the online ticket selling system was kind of an attempt to show off the new leadership's competence but it backfired spectacularly. The opposition is now demanding Daboczy's removal from BKK due to the scandal.

BTW, when David Vitezy was sacked from BKK, the Port Authority of New York reportedly tried to woo him over to advise on future plans for public transport development in the skyscraper city. He declined to emigrate, probably the mistake of his life, as ever since he has been given mere "desk by the window" roles in Hungary. I'd say if he'd left for USA, maybe in 15 years he could have been properly groomed in America and come back as a potential future PM of Hungary. That, provided the russians don't conquer our country again in the meanwhile...

Re:Trump

[SharpFang]

How fucking corrupt (or clueless) must one have been to have cast a vote for Hillary Clinton?

We had a similar situation in Poland recently. A party of ass clowns was voted in, in place of one of very competent *thieves* that kept robbing the country blind with impunity over previous 8 years. And while the ass clowns aren't a good government, they certainly cause far less harm than the thieves did.

Fuck whitehat

[volodymyrbiryuk]

Go full blackhat or get fucked. I bet their server where customer information resides has gaping security loopholes too. Instead of punishing the company the try to kill the messenger.

Re: what would of a negative number done?

[drinkypoo]

Studies show that grammar nazis are dicks.

Re:what would of a negative number done?

[DontBeAMoran]

Nobody here says "WA LA". It's spelled "voilà" for a reason.

Ludicrously simple?

[computational+super]

You say "ludicrously simple" but in today's 8-week-bootcamp to "Javascript ninja rockstar" culture, I've all but given up on trying to explain to front-end developers why client-side validation alone isn't sufficiently secure. I explain it to them once, shrug off their uncomprehending stares and wait for them to implement what I just told them not to, demonstrate the "hack" in front of them, wait for them to protest that "well, anybody who is competent enough to think of THAT is surely unstoppable anyway!" and then hunker down for a month of explaining again, and again, and again to management that yes, deadlines are super-duper important and yes, we have client deliverables to meet but this is a real security problem and yes, it really needs to be fixed. That the cumulative time we spend arguing about something that never should have even come up in the first place is an order of magnitude greater than the time that would have been spent just fixing the damned thing in the first place never seems to make much impression on anybody, either.

Re:what would of a negative number done?

[parkinglot777]

It's colloquial. Some people view their forum responses as literal "speech", rather than a formal written argument.

Get over it.

Then they shouldn't be writing and also stop assuming that everyone else knows it. Speaking language is often time ambiguous. If you want to write, do it properly.

Re:2 more of your tech fails

[omnichad]

how can a DNS amplification affect me?

Maybe you should look up what a DNS amplification attack does. Hint - it doesn't matter if you use HOSTS for all of your lookups.

A DNS amplification attack does not stop you from looking up web sites. It's a DDoS that overloads your router. HOSTS will not help you with that whatsoever. Not DOS, DoS.

P.S. It's not a "big blunder" to not remember which order to put HOSTS in. The Windows default hosts file has examples in it. You never have to learn or remember the syntax, because it's right there in the file.

Re:Your blunders = HUGE, lol... apk

[omnichad]

how can you overload my router? You don't know my IP address!

It doesn't have to be a targeted attack - you still have an IP address and you're still not any more protected. Besides, you claimed that the HOSTS file engine protects against a DNS amplification attack. Still not true.

Since EXAMPLES ARE THERE, your BLUNDER SHOWS YOU DIDN'T CHECK 1st & STUPIDLY PUT THEM OUT IN THE WRONG ORDER

Or, it's pseudocode and exact syntax doesn't matter in the slightest. You're the only person on Slashdot who would care. The meaning of my post didn't change based on the order of my syntax, because the intent was unambiguous.

Re:what would of a negative number done?

[CodeHog]

From my CS days in college, unit test for the following conditions. Value = N, value = N -1, value = N + 1, value = -N, wash, rinse, repeat until time is up or bugs are fixed.

Re:BS! No IP = no target to hit here

[omnichad]

Do you change your actual ISP IP or your endpoint/VPN IP? Only the former prevents being affected by a DDoS. You're assuming someone found your IP from forum/server logs rather than just attacking a random IP.

It's WHY I change IP address every time I post in ANY forums

No, you do that because otherwise you can't post as AC every couple minutes all day.

Either way, HOSTS does not protect against a DNS amplification attack. Why not concede that point already?

1994 Called

[PatientZero]

They'd like their client-side shopping cart software back.

How does even the most novice developer not know that you can't trust anything from the client?

Re: what would of a negative number done?

[KGIII]

Oh, the irony.

I recall an analogy from an old European folk tale

[TheHawke]

"The King Has No Clothes on!"

I think in the original version the person that made that proclamation was promptly beheaded.

If not, it should at least be mentioned.

Re:ISP assigned IP (not local one) of course

[omnichad]

And your HOSTS tool still does nothing to protect against DNS amplification attacks. Seems that you can't just address the main point of my post.

Re:Your DNS AMP attack can't affect me

[omnichad]

I don't care if the DNS amplification attack affects you - that wasn't the issue. You claimed that your HOSTS file engine itself protects against that. That's not true.

Re:Then what good's your so-called 'point'?

[omnichad]

Because you're advertising your software as something that can stop DNS amplification attacks. https://science.slashdot.org/c...

And when someone calls you out on it, you stick out your tongue and say that you can change your IP address. Only a politician would think that's an answer.

Don't rock the boat

[OrangeTide]

Powerful people don't like to be embarrassed nor have the world discover their incompetence. If you expose a powerful moron his position is at risk, and he'll take it as an attack. It's irrelevant for him that you were only trying to help.

Re:Don't rock the boat

[edtice1559]

Yes, but the fundamental problem is that we are letting incompetent people *become* powerful. If competence were a prerequisite, we wouldn't get into this situation.

Re:Don't rock the boat

[OrangeTide]

I have no idea how you could go about changing that. It seems to have been a general problem that even the ancient Greeks wrote about.

Re:READ: Both methods = complimentary

[omnichad]

I'm not attacking you with DNS amplification attacks. I'm talking about the end-users you advertise to. Stop conflating these two things.

Hosts file engine does nothing against DNS amplification attacks.

Use your brain

[dhaen]

Idly browsing one night, I discovered that all access controlled had been switched off our corporate network. Yes I could even open the CEO's home folder. It didn't take much brain power to realise that if I looked any further there would be time stamps on files that matched my shift time, so I didn't go any further (despite being curious).

I waited until the morning and phoned a relatively junior IT team member and explained the security lapse to him (on the basis of anonymity), who then escalated the problem.

The result: The problem got fixed. He got a pat on the back for discovering the oversight, and we became good friends.

Re: what would of a negative number done?

[alexgieg]

Is there even a legitimate way to use "should of" or "would of" in a sentence?

Any in which "of" is followed by "course".

a) "He should of course he should!", she exclaimed breathlessly.

b) "If we did X, we would of course get..."

c) "It could of course be a fly."

Client side checking

[ewibble]

Because there was no client or server-side validation put in place

What on earth would client side validation do? In fact it does have client side checking it puts the price in the client. The problem is that the hacker changed the client. No amount client side checking can fix this problem when the user controls the client.

Re: what would of a negative number done?

[alexgieg]

You're missing commas in all of those examples.

They're actually optional, specially if you're trying to convey spoken language. I agree that with them the sentences read better though.

Re:I know this will be an unpopular opinion, but..

[Mr.+Shotgun]

May be a day late and a dollar short on this response but that is not a good analogy. Client side validation is not swapping stickers, it is handing the customer the label maker and letting them choose their own price. Sure it has a suggested price as the default, but without checking the accuracy on the server side you are letting the customer pick which ever price they want and you accept it because that is how your system is set up. It is like the credit card company that did not verify their own contract when it was sent back by a customer. If your system is set up to auto accept what the customer said you are going to have a bad time.