Slashdot Mirror

← Back to Stories (view on slashdot.org)

Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest (bleepingcomputer.com)

Posted by EditorDavid on from the clicking-unlike dept.

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

30 of 295 comments (clear)

  1. Lesson learned for him by Anonymous Coward · · Score: 5, Insightful

    Never try to help souless corporation.

    1. Re:Lesson learned for him by ma1wrbu5tr · · Score: 4, Funny

      Seems like they just CNNed themselves. Bwahahaha!

      --
      Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
    2. Re:Lesson learned for him by Anonymous Coward · · Score: 5, Insightful

      Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

      People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

      A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

    3. Re:Lesson learned for him by AmiMoJo · · Score: 3, Insightful

      This is much worse. CNN didn't go through with its threat.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Re:what would of a negative number done? by Anonymous Coward · · Score: 5, Interesting

    "would of" How do people still make this mistake? Do you just never read?

  3. That's embarrassing by bjdevil66 · · Score: 5, Insightful

    That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

    The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.

  4. "Unjust arrent" by Anonymous Coward · · Score: 5, Insightful

    While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

    1. Re:"Unjust arrent" by thsths · · Score: 2

      Proper journalism is less profitable than click bait, and therefore not well represented on Slashdot.

  5. Devil's advocate by FeelGood314 · · Score: 2

    This company has no clue how eCommerce works. They actually are double handy capped in that they don't even know what they don't know so they likely had a false sense of thinking they actually did understand things. If you use the website as intended you can't change the price. I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

    Kálmán Dabóczi, BKK, the police and the judge who issued the warrant all owe this kid a big apology. However, not everyone can understand everything and it is reasonable to expect that sometimes you will get unlucky and get a company and a few members of the police who have almost zero understanding of a subject and make a stupid mistake. The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib. Hopefully they were professional about the entire thing. Kálmán Dabóczi has likely learned a very hard lesson so let him apologize and get to work. He now has a pile of free penetration results to deal with and possible the job of selecting a new supplier for the website.

    1. Re:Devil's advocate by stephanruby · · Score: 4, Insightful

      I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

      Even if that's true, that thinking doesn't explain why the kid would report it as a bug.

      No, the only possible reason to call the police is if the books didn't reconcile at the end of the night and no one had read the bug report submitted by the kid yet (or may be someone read it, but had not told Kalman yet). That's the only possible justification.

      And yet, that doesn't seem like this is what happened (at least, the article makes no mention of that possibility). So if Kalman Daoczi really did call the police after having read the bug report, he should be arrested himself for filing a false police report and wasting the police's time. Calling the police after someone has immediately turned them self in is a vindictive action and a complete waste of police resources.

    2. Re:Devil's advocate by FeelGood314 · · Score: 5, Interesting

      I control the client. It does what ever I want. The Server should have no expectation of my behavior, it just expects a string of 0s and 1s. The server is asking how many tickets I want and how much I should pay for them. This kid pointed out that the server is trusting the client to tell it what the correct price is. The client is being dishonest if it lies about the price but this isn't like changing the price stickers, here the server is actually asking the client for the price and this 18 year old pointed it out. He bought a ticket that he never intended to use to demo the bug. True, his demo might have caused an error in the backend accounting that could have brought down the entire BKK system. That is generally why you ask permission before hacking something, but this seems so trivial that I would give the kid a break and I would expect him to get a thanks.

    3. Re: Devil's advocate by Anonymous Coward · · Score: 2, Insightful

      No, this was more like someone leaving a note for me that my door was wide open.

    4. Re:Devil's advocate by Anonymous Coward · · Score: 2, Interesting

      Actually, you need permission of the site to test their security.

      I got permission from the site. I asked it for access, and it gave me access. It's not my fault that the human operators of the site never intended for me to have that access, all I know is what the site is letting me have access to.

      Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

      Except the guy in my living room didn't pick my locks, my crazy ex let him in. It's not that guy's fault for not knowing that my crazy ex did not have the authority to give him access to my living room. All he knew was that this person is standing in the doorway inviting him in. And the fact that the crazy ex is a soulless computer shouldn't cause blame to shift to the guy in my living room. It should cause it to shift to me.

    5. Re:Devil's advocate by TheReaperD · · Score: 4, Insightful

      Except, he did not hack their site. He did not penetrate any servers, exploit any passwords or do anything to their systems. What he did do was make a change to his web browser that altered the price of the ticket and because their systems are designed so badly that it changed the price of the actual ticket so he could set his own price for tickets. All without having to hack their servers. This was allowed to happen because the company disregarded one of the first rules of IT security: Never trust the client to enforce security. In reality, this statement can probably be shortened to "Never trust the client."

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    6. Re:Devil's advocate by Dog-Cow · · Score: 2

      And "never trust the client" can be shortened to "never trust". When it comes to security, anyway.

    7. Re:Devil's advocate by DontBeAMoran · · Score: 3, Informative

      Or you could expand that to "Trust no one".

      Mulder was right.

      --
      #DeleteFacebook
    8. Re:Devil's advocate by Midnight+Thunder · · Score: 4, Insightful

      To use the restaurant analogy, it would be cool if the waitress accepted any price I give her for the meal, but it would probably be shoddy business. Oh, it wasn't normal operating procedure? The waitress accepted it, but now I am being accused of hacking the waitress. How about training her properly to not accept everything the client talks her?

      --
      Jumpstart the tartan drive.
    9. Re:Devil's advocate by nephilimsd · · Score: 2

      Have you learned nothing from your literature classes? Trusting No One is exactly what got the cyclops blinded!

  6. Well then by Anonymous Coward · · Score: 5, Insightful

    I guess security researchers and hackers now learned a lesson.

    Find a bug? Exploit the f**k out of it. Don't bother reporting it.

    1. Re:Well then by Solandri · · Score: 3, Interesting

      No, the current response is the correct one. There are lots of companies out there which will take a bug report, fix the bug, and thank you. Some will even pay you a bounty.

      Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see because a black guy robbed the local convenience store. The correct response is to single out the responsible criminal / stupid company for reprisal. Like is currently happening to this company.

    2. Re:Well then by houghi · · Score: 3, Informative

      Several years ago I found childporn and reported it to both police and the ISP.
      ISP was not allowed to do anything by order of the police, even if they already know who placed it there. The police called my company (from where I had done the report) to ask for my data and told them it was concerning an investigation about childporn.
      When I was helpful and went to them they tried to get me for:
      1) Obstruction of the law, because I informed the press after a week, because the site was still up and they where working on it.
      2) Fraude, because I had given a fake address at the free email company
      3) Spreading of childporn, because I had done a reply on Usenet and had forgotten to remove the URL

      I am happy that my company was understanding and I did not lose my job.

      Since then I have NEVER seen anything remotely illegal on the Interwebs, ever. If I would I would obviously report it, but somehow since that 15 years ago, it seems as if there is nothing illegal going on online. Really absolutely nothing. Weird.

      --
      Don't fight for your country, if your country does not fight for you.
  7. ...and here's their FB page... by mpoulton · · Score: 5, Informative

    ...for your own reviewing and commenting enjoyment: https://www.facebook.com/bkkbu...

    --
    I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
  8. Re:I know this will be an unpopular opinion, but.. by Stormwatch · · Score: 3, Insightful

    No, a better analogy is: the store forgot a price sticker printer in the shelf, so any client could just get it and print new prices freely. This kid found the printer and took it to the cashier, and rather than getting thanked, he got accused of stealing the printer.

    --
    Circumcision is child abuse.
  9. Re:Client-side validation? by Greyfox · · Score: 5, Interesting

    None should, that's not to say they don't. I worked for a company a while back that was dipping its toes into the google web toolkit, which allows you to write your web page's UI in Java and then converts it to Javascript. They ended up doing all their authentication on the client side, so you could just make a web request to the backend and create arbitrary users in any organization in the billing system. That included administrative users. When I reported it, the team writing the code said something to the effect of "You're just making calls to the backend! No one would ever do that!" That attitude is surprisingly prevalent in the industry.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  10. Re:Client-side validation? by geoskd · · Score: 5, Informative

    A network glitch turns this into 128 tickets, and the server charges your card for 128 tickets.

    Umm, No.

    TCP/IP (specifically the transport layer) handles packet integrity. What gets sent is what is delivered or nothing at all. Client side validation's only purpose is to ensure that the user is informed when they have entered invalid information so that they can correct their mistake. If you are trying to use it any other way, I hope you are not a professional web developer.

    --
    I wish I had a good sig, but all the good ones are copyrighted
  11. Don't report bugs by Andy+Smith · · Score: 4, Interesting

    I found a similar flaw in a supermarket's self-service tills. Didn't report it for this very reason. I don't purposefully look for bugs/exploits, but if I did spot any more in future then I wouldn't report those either. My heart tells me to report them, but my head tells me no.

    1. Re:Don't report bugs by martyros · · Score: 5, Interesting

      I found a bug in the website of a company I wanted to order tiles from; but because of the vagaries of the website, I wasn't actually sure it was a bug until I'd placed the order and had it delivered at a 90+% discount.

      Normally their prices were placed in £ per square meter, but they sold individual "sample" tiles for a reduced price. In this case I'd ordered a number of sample tiles and then decided the one I wanted. Rather than go through the website and search for the name again, I went to the "My orders" section of the page and clicked the tile I had decided to order. Conveniently, they had a "Order more" button on that page, so I clicked it.

      Now, the price per square meter was £30, and the price of a single sample tile was £2.50. When I clicked "Order more", my basket showed a single number ("1") with a unit price of £2.50 -- but no description of what the unit was. I changed the count to 18 (the number of square meters I wanted) and clicked "Update price", and it was set to £45. But was I ordering 18 individual sample tiles for £45 (which would also have been a bug -- you're only supposed to be able to order one at a time), or 18 square meters of tiles? And anyway, surely some check at the other end would stop it if it really were a mistake, right?

      Nope. Three days later a palate containing 18 square meters of tiles showed up -- £720 of goods for £45 + shipping.

      I was at that point genuinely torn between wanting to DTRT and being afraid of this sort of reaction described in this article. I did write them an email, spinning the whole thing as an accident, and they simply asked me to pay the difference up to the actual price of the tiles, with a 15% discount.

      Being well into adulthood rather than a teenager probably helped; as well (probably) as being an actual customer who was purchasing their product, rather than someone clearly identifying themselves as trying to break in to their systems.

      Hope they got their website fixed -- the company overall is a good company, and I'd be sad to see them lose money because they were good at tiles and bad at javascript.

      --

      TCP: Why the Internet is full of SYN.

  12. Re:Client-side validation? by gravewax · · Score: 2

    TCP/IP provides some very basic integrity, sequence, error control and delivery checks. Though their are many holes in the protocol that mean you cannot rely upon it for integrity, data validation must be done at other layers or in the application itself as the TCP/IP layer does NOT handle anything but the very basics of packet integrity, it is extremely easy to change a packet in ways that it will pass all its TCP integrity checks.

  13. Some deeper background info concerning incident. by Anonymous Coward · · Score: 4, Informative

    The online ticket selling system in question was developed by the hungarian branch of Germany-based global giant T-Systems group. Although "developed" seems a bit of an exaggeration, since it looks like about half of the system was merely "painted on the wall" in very rough draft code and at an early stage of perparadness, but the whole infrastructure was duressed into live operation prematurely.

    The reason for such a hurry was the ongoing FINA 2017 would championship for aquatic sports, which Budapest and Hungary adopted only 2 years ago when the originally chosen host country (Mexico I think?) suddenly balked out. Pool swimming, water polo, sprint kayak are really big in Hungary, so the country was eager to take over, despite the little time left.

    Ever since, a huge amount of money was wasted on hurried preparations (including widespread and extremely costly corruption between politicians-bureucrats and construction company owners) and the event's budget skyrocketed to 4x times of the planned, tehreby taking away a lot of money earmarked for public education and the country's single-payer health system.

    While Budapest has a dense and well-developed surface mass transport system called BKK (formely BKV), the international airport at Ferihegy (BUD) is not yet served by an underground railway or a light rail link, there is only a stop-at-every-bush articulated bus line for it, which doesn't even reach the city centre.

    Considering the FINA 2017 event, another direct-to-city-center bus line was hastily introduced and politics wanted an online tickets / passes selling system for that, so the airport kiosks wouldn't be overwhelmed and look bad on TV news. (The leadership un-realistically expected hundreds of thousands, if not millions of foreign sports fans to visit Budapest for just the event.) Thus the "bright" idea of pressing into service a quarter-to-half ready online merchant system was born...

    BTW, the hacker who discovered the price fixing trick lived 300km (190mi) from Budapest and hasn't been to the capital for months, thus his pennys purchase of a name-assinged pass wasn't made maliciously. In fact it was the T-Systems branch, not BKK, which received his bug report and counter-reported him to police, climing their corporate legal policies require such step. Hungarian netizens have been smear-comment flooding the global T-group Facebook page ever since.

  14. Re:Some deeper background info concerning incident by Anonymous Coward · · Score: 5, Informative

    Since I'm a local, let me also add this for the human resources aspect of the story:
    Another reason for the hurried introduction of the inscure, unfinished BKK online ticket sales system was that the Mr. Kalman Daboczy, whom the referenced article mentioned by name, is not the original leader of BKK.

    Before him there was David Vitezy, an admittedly weird, but very bright, internationally educated jewish boy, who got to form and lead the BKK at a young age, solely due to his family's high political connections yet turned out to be highly motivated. In a few years Vitezy introduced a computerized schedule-control system called FUTAR for over 1500 buses which revolutionized on-timeliness in circulation, a quantum leap from the paper-based BKV era and welcomed by all pax.

    He also introduced private sub-contracting for bus line operations with run-time based financing, which brought in hundreds of brand new low floor, low pollution Merc and Volvo vehicles to Budapest, where previously only Cold War era (!) left-over smoking wreckages circulated. He managed to extend the lenght of the city's most important tram line and furnish it with modern rolling stock by successfully claiming EU funds for development, which was considered impossible to get by all parties. He created a public bicycle-sharing system called BUBI from zero and integrated it with BKK. Genius, I'd say.

    Eventually Vitezy was sacked from BKK as he tried to reform traffic light patterns and lane use rights to prioritize bus and tram circulation versus private cars, which limousine-riding politicians vetoed. Mr. Daboczy, who replaced him is a "mameluk" i.e. a person whose only skill is loyalty to political superiors in executing orders without questions, including hurtful or stupid ones, and he is without creative talent. Ever since BKK has been stagnating and the city's population eventually questioned why no public transit development happens since Vitezy left? Thus the online ticket selling system was kind of an attempt to show off the new leadership's competence but it backfired spectacularly. The opposition is now demanding Daboczy's removal from BKK due to the scandal.

    BTW, when David Vitezy was sacked from BKK, the Port Authority of New York reportedly tried to woo him over to advise on future plans for public transport development in the skyscraper city. He declined to emigrate, probably the mistake of his life, as ever since he has been given mere "desk by the window" roles in Hungary. I'd say if he'd left for USA, maybe in 15 years he could have been properly groomed in America and come back as a potential future PM of Hungary. That, provided the russians don't conquer our country again in the meanwhile...