Over 45,000 users have left one-star reviews on a company’s Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug.
The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ (BKK), Budapest’s public transportation authority.
Teen hacks company using browser’s DevTools
The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price.
Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.
As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
BKK calls police and has the teenager arrested
The teenager — who didn’t want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems.
Police arrested the teenager in the middle of the night shortly after, even if the young man didn’t live in Budapest, nor did he ever use the fraudulently obtained ticket.
BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems “secure.” Since then, other security flaws in BKK’s system have surfaced on Twitter.
As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner. The beneficiary of this humongous contract is a local company called T-Systems, which ironically sponsored an “ethical hacking” contest.
Talking to Hungarian press, the young hacker said he only had the best intentions when he reported the issue to BKK and said he hopes the organization withdraws its report.
Hungary’s Facebook community reacts with vitriol
In the meantime, tens of thousands of Hungarians have shown their solidarity and support for the teenager by going on Facebook and leaving one-star reviews on BKK’s page.
While initially, reviews came from Hungarians, international users started leaving their own thoughts on BKK’s page after the incident become a trending topic on Reddit.
“You should partner with better companies managing the security and reliability of your online purchase systems! Shame on you BKK!,” said one user.
Most of the 45,000 reviews follow the same (translated) template, a message from the young whitehat.
“I am an 18-year-old, now middle school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.
I discovered last Friday that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).
The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.
I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.
I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report.”