Kid found a way to travel for free in Budapest. He filed a bug report. And was promptly arrested
Protests sparked after web security hole reported
The arrest of a Hungarian bloke after he discovered a massive flaw in the website of Budapest's transport authority – and reported it – has sparked a wave of protests.
Thousands of users have flooded the Facebook page of the capital city's transport authority Budapesti Közlekedési Központ (BKK) – and its main website was taken down for several days by online attacks.
Meanwhile, a crowd of protestors gathered outside the main BKK offices in Budapest on Monday and the story has taken off in the Hungarian media, thanks in large part to conflicting accounts of what happened from the young chap himself and the CEO of BKK, Kálmán Dabóczi.
The tale started last week when an unnamed 18-year-old found that he was able to, when purchasing a ticket online, poke the BKK website in a particular way to modify the ticket's price and buy it at that new price.
Rather than take advantage of virtually free travel in the country's capital, however, he did the right thing and reported the security hole to the BKK, complete with a demo in which he was able to buy a $35 ticket for just 20 cents.
The response was not what he expected. Four detectives turned up at his door at 7:00am on Friday, photographed him and questioned him extensively over his actions. The BKK then held a press conference at which its CEO Kálmán Dabóczi proudly announced they had caught a hacker and had filed an official complaint against him. Dabóczi assured everyone that the website was now perfectly safe.
That version of events was immediately questioned by the teenager himself however, in a Facebook post.
"I am an 18-year-old, now middle school graduate," he wrote in a message that has since been posted hundreds of times to the BKK's Facebook page. "I trust that I can help solve a mistake."
In the message, he says he informed the BKK "about two minutes" after he discovered the flaw. "I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it, and not to use it."
He continued: "The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities."
He then asks others to help out: "I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report."
And so they have shared the entry – in their thousands – putting the BKK on the back foot.
As the outcry against the company's actions grew, Dabóczi was forced to defend himself Monday morning on the radio. He doubled-down, claiming that the boy has sent his emails to accounts that he knew the company would not read – one of which was email@example.com – and then posted his discovery of the hole online.
When that claim was met with skepticism, Dabóczi attempted to shift focus onto the company that operates the website's backend, T‑Systems, saying he had asked its CEO to write a report explaining the error and noted that it was T‑Systems, and not BKK, that had filed the complaint.
Here's a shovel
For his part, the T‑Systems' CEO Zoltán Kaszás has also been forced to apologize, especially after it was revealed the company is paid $1m a year to maintain the system and its security.
In his own Facebook post, Kaszás acknowledged that the BKK's systems were not up to date and he claimed that while he had sympathy for the "young man's case," that "under the circumstances, there was no other option than to report an unknown culprit."
In a sign that public opinion had already turned against T‑Systems and BKK however, Kaszás said he "would like to offer the opportunity for future cooperation if he is open to it," and announced that the company would start an "ethical hacking" program to work with security researchers.
But Hungarians are furious at what they see as the arrogant way in which BKK and T‑Systems handled the fact that an 18-year-old discovered an enormous flaw in their website and reported that fact to them.
With the BKK website down, its Facebook page swamped with over 46,000 one-star reviews, protestors outside its headquarters and the media interviewing the hacker and painting him as a put-upon hero – it is hard to imagine how BKK could have done a worse, and less grateful, job. ®
Sponsored: Becoming a Pragmatic Security Leader