Teenager Finds Flaw, Gets Arrested
Posted by: Timothy Weaver on 07/24/2017 09:50 AM
[
Comments
]
After an 18-year-old reported a flaw in the Budapesti Közlekedési Központ (BKK), Budapest's public transportation authority’s ticket selling website, the transportation authority had him arrested.
The organization spends around $1 million per year for maintenance of its IT systems. However, the young man was able to alter the ticket price by simply accessing BKK's website, pressing F12 to enter the browser's developer tools mode, and modified the page's source code to alter a ticket's price.
Instead of fixing the reported bug, the company had him arrested in the middle of the night. After reporting the bug to BKK, the company contacted the police and filed a complaint charging him with hacking their system.
BKK boasted about the event and drew the ire of thousands of internet users. The public flooded their website and left negative comments. Out of five stars, 45,000 users left reviews of one star.
The event became a trending issue on Reddit and thousands of international users started leaving negative comments on BKK's Facebook page.
The teenager made this statement:
"I am an 18-year-old, now middle school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.
I discovered last Friday that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).
The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people - no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.
I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.
I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report."
Source: Bleeping Computer
The organization spends around $1 million per year for maintenance of its IT systems. However, the young man was able to alter the ticket price by simply accessing BKK's website, pressing F12 to enter the browser's developer tools mode, and modified the page's source code to alter a ticket's price.Instead of fixing the reported bug, the company had him arrested in the middle of the night. After reporting the bug to BKK, the company contacted the police and filed a complaint charging him with hacking their system.
BKK boasted about the event and drew the ire of thousands of internet users. The public flooded their website and left negative comments. Out of five stars, 45,000 users left reviews of one star.
The event became a trending issue on Reddit and thousands of international users started leaving negative comments on BKK's Facebook page.
The teenager made this statement:
"I am an 18-year-old, now middle school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.
I discovered last Friday that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).
The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people - no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.
I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.
I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report."
Source: Bleeping Computer
Comments
