A 18 year old ethical hacker reported an exploit in the online ticket-selling system of Budapesti Közlekedési Központ (BKK), Budapest’s public transportation authority. He actually used a browser dev tool so called inspect element and changed the price from $35 to 20 US cents because there was no server side validation put in place and you can easily get into developer mode of any browser by just typing F12 button.
This type of corporate behavior is really dangerous in the long run. Often times the professional communities for these types of things are extremely small and many of them know each other well enough to pass info on.
If a company is known for shafting their tech security staff left and right because they don’t understand how to manage it, eventually the remaining professionals are going to know about it and then they won’t be able to find anyone qualified for the job.
Having worked in security we don’t think that people are going to stop looking for the exploits, they’re just going to stop submitting them to the company and will instead release them publicly as a zero day, or sell them directly on the black market.
In our experience, you will always have qualified people if the money and benefits are good enough. But also realize info sec is still a relatively new field so the management chains are having to evolve, and most management still don’t understand anything. It will evolve and the need for security is exponentially increasing right now with all the “hacks” happening, and they need to glorify those who find these exploits.
— Gábor Héja (@gheja_) July 25, 2017
As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner. The beneficiary of this humongous contract is a local company called T-Systems, which ironically sponsored an “ethical hacking” contest.
Companies don’t take this in a good way. If they don’t have a policy which state that you can conduct a security assessment and reward you for it within a determined scope so called bug bounty program then they will prosecute. If they don’t have that policy like Facebook or Google or don’t provide you with a Jail Free Card then don’t bother.
Everyone seems to think they’ll walk away with a check for being the good guy. Unless the organization has a known bounty program, do what’s best for yourself and keep your mouth shut.
“If We’re ever taken by the police in the middle of the night please do more to save us than leaving a bad review.”
This is the review comment which people posted with 1 star rating –
BKK, drop the charges and get your act together.
“I am an 18-year-old, now middle school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.
I discovered last Friday that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).
The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.
I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.
I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report.”
Obviously it’s bad that young guy who found a flaw in a system and reported it was actually taken in by police.