
18yo arrested for reporting a bug in the new Budapest e-Ticket system - atleta
https://blog.marai.me/2017/07/24/18-year-old-arrested-bkk-tsystems-e-ticket/
======
goodplay
I remember coming across a serious bug in a site that belonged to a top multi-
billion company. My brother also found what essentially an unrestricted
privacy leak (and possibly editing access) in a top university (leaked data is
sensitive personal information, not academic). Neither of us reported (or
exploited) what we found.

Protection from this kind of blame-shifting and misdirected retaliation should
be guaranteed by law. Until it is, bugs in critical and important
infrastructure will go on unreported, and remain available for malicious
actors to exploit.

~~~
jogjayr
I'm having trouble understanding what exactly an org's thought process is when
they elect to prosecute someone for reporting a security issue.

Would they also prosecute a person who told them one of their doors was left
unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is
usually gratitude, not calling the cops.

EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means
they were clearly trying all the doors. Don't like that. Who knows what else
they found but didn't report." Which is understandable, but clearly counter-
productive. If the person was a malicious actor, they obviously wouldn't go to
the trouble of reporting in the first place.

~~~
jannes
My guess would be:

\- BKK is the client of T-Systems. They have a contract for the development
and maintenance of this system which might contain clauses about liability or
indemnification in cases of hacking, security bugs, negligency, etc.

\- This guy reported it to BKK who obviously don't have any technical
knowledge

\- BKK (the client) forwards the email to T-Systems (the contractor): "What's
this about? Looks like hacking or something."

\- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame
for overpromising and screwing it up, possibly taking a financial loss of an
unkown amount (depending on the contract and how widespread exploitation was)

~~~
pgaddict
That's unlikely. Every if you don't develop the system on your own and buy it
from a third party (be it T-Systems or someone else), you still need technical
expertise to prepare the requirements, evaluate the proposed solution
(possibly proposals from multiple vendors) and do then do acceptance testing.
So the "BKK obviously don't have any technical knowledge" claim is bogus.

It's possible the particular BKK person dealing with the report does not have
technical knowledge, but that's more a fail on BKK side as they let
incompetent people to deal with reports of security incidents.

But I'd bet it's merely a matter of covering broken shit and shifting blame.
BKK is (probably?) a public company, managing transport in the capital city.
They manage a lot of money, and it's not uncommon to funnel lucrative
contracts to friendly companies, even if it increases price and the quality is
dubious. Whoever came up with this project / awarded the contract / accepted
the solution is probably scared people might start digging into the details.
Better blame the problems on a hacker!

~~~
aries1980
> Every if you don't develop the system on your own and buy it from a third
> party (be it T-Systems or someone else), you still need technical expertise
> to prepare the requirements, evaluate the proposed solution (possibly
> proposals from multiple vendors) and do then do acceptance testing.

I don't think this is true. When you buy a house, do you have to be able to do
the specification and evaluate? This is a good analogy, because T-Systems have
delivered similar solutions to other clients, what they needed here is a
little bit of tailoring and integration (which is not the part that failed).

~~~
afuchs
It is common for a typical western government to have domain specialists,
working directly for them, to help write the contracts and requirements for
their external contractors and vendors.

------
whatnotests
That's how the DMCA works. Remember the guy who gave a talk about Adobe's PDF
creator which purported to produce "secure" documents (required a password)
but the feature was easily bypassed.

Adobe had him arrested the day after he gave his talk.

Link to a Wired article here:
[https://www.google.com/amp/s/www.wired.com/2001/07/russian-a...](https://www.google.com/amp/s/www.wired.com/2001/07/russian-
adobe-hacker-busted/amp)

EDIT: I have a terrible memory-- thanks to the folks who replied to my comment
with corrections.

~~~
WillyOnWheels
> Adobe had him arrested on the stage as he gave his talk.

I was there!

The FBI arrested him in a hallway, 1 day after his talk. Dmitry at first
thought it was a joke put on by a Defcon prankster.

During his talk, the panel moderator asked Dmitry to pause for a minute... and
said "Would you mind saying 'Can you tell me where are the nuclear vessels in
Alameda'?" Dmitry was confused by this request and said, in his Russian
accent, "I do not know where the nuclear wessels are in Alameda?" The mostly
American Trek-familiar audience had a good laugh, and Dmitry continued with
his talk.

~~~
mod
I'm confused by his request as well, I can't understand why he asked it. Any
context?

~~~
Baeocystin
A scene in Star Trek IV.

[https://www.youtube.com/watch?v=kvkYTJYcYzY](https://www.youtube.com/watch?v=kvkYTJYcYzY)

------
lebowen
A few years ago I also found a serious bug in a debt collection agencies web
software. I ordered a phone and neglected to pay import tax and was chased by
the agency. I found their website and saw that they developed their management
software in-house and made it available for purchase for other agencies.

They offered a demo which I used to navigate around, in the demo was a
reporting tool which essentially allowed you to send raw SQL queries to an
AJAX endpoint. Something along the lines of:

[http://demosoftware.com/reports/ajax.php?sql=SELECT](http://demosoftware.com/reports/ajax.php?sql=SELECT)
* FROM debts

I switched out the demo software domain name for the live version and it
worked, not only could I query the database there was no authentication
preventing me hitting this end point.

At this point I was left with a dilemma, do I "erase" my debt, do I disclose
the bug and pay the debt, or simply pay the debt and move on. I chose to pay
the debt and move on due to fear of any recriminations. However it has left me
uneasy ever since knowing that this company have such bad security and any
debtors they are chasing for payments potentially will have all of their
personal data leaked.

~~~
Rjevski
You don't erase just _your_ debt, you open up Tor browser and drop the entire
database. That'll teach them for next time.

~~~
kogepathic
_> you open up Tor browser and drop the entire database_

Apart from being a federal crime (CFAA), it would be rather obvious by the
logs that a user was testing SQL injection on the demo system minutes before
the production system was vandalised.

A better option would be to pay the debt, and then let them know you found a
potential issue on their demo system. Let them connect the dots between demo
system and production system. If they can't make the logical leap, then they
deserve whatever someone else does.

~~~
Rjevski
Well obviously if you do that you wouldn't be testing the SQL injection for
your main connection to begin with.

I'm not arguing against paying the debt - I would pay it in either case.
However leaving such a vulnerability exposed is so bad they deserve to get
their entire database dropped (and in this case I hope they _don 't_ have
backups).

~~~
tertius
> However leaving such a vulnerability exposed is so bad they deserve to get
> their entire database dropped (and in this case I hope they don't have
> backups).

I understand the feeling here, but no, they don't deserve to get their assets
destroyed because of a lack of care.`

~~~
Rjevski
Why not? Destroying the company means they won't be there anymore to put
everyone's PII at risk.

~~~
tertius
Because private property is a cornerstone of a free society?

You can't just destroy someone else's property because you have some personal
anarchist notion of justice.

If they are really being negligent then they should face the proper penalties.

~~~
Rjevski
Well the issue is that there are no penalties. Only free money for lawyers and
nothing for the people who got their PII stolen.

Dropping the DB means there's no more PII to leak, makes a pretty good
financial penalty for the company and doesn't make millions for useless
lawyers. That sounds like an acceptable solution by my standards.

------
amingilani
In my country, the laws are draconian and totally against this kind of
responsible disclosure. But being a good guy, whenever I find something I
write a strongly worded email explaining why the company's IT department
messed up, how to test said mess-up, and how they can hire my company to
ensure these kinds of stupid things don't happen again.

I've reported several of these issues, sometimes all I get is single reply
months later saying: "fixed".. mostly, nothing.

Once I found a SQL injection in a courier service's (very broken) web portal.
This was very serious because any idiot could drop all the tables, so I sent
an email to the most important worded member of their tiny, yet already
bureaucratically structured team. I followed up several times because I knew
someone saw my email (I embed beacons in my emails) but gave up after the
sixth time. Three months later someone else replied saying "thanks Amin, we've
fixed it"

On a separate occasion, a large government agency's emails routinely ended up
in my spam folder. It was a huge problem, and they acknowledged it and said
they couldn't figure out what was wrong. I took five minutes and found the
problem to be a misconfigured server on the domain. The server sending the
email thought it was `server-a.governmentdomain.com` but there were no DNS
entries pointing the subdomain to the server. I reported this problem with
clear instructions to test and fix the issue, but I was called despite the
instructions, multiple times, to explain the issue with my words over the
phone. This was 2 years ago, last I checked, the issue was still present.

~~~
voidz
How do you embed beacons into your emails?

~~~
krallja
<img src="[https://my.server.net/beacon-
uuid.png"](https://my.server.net/beacon-uuid.png") height=1 width=1 />

------
fencepost
Two takeaways, one from this and one from my other past experience.

First, when testing whether you can change a price and have a transaction go
through successfully, RAISE THE PRICE. If you lower the price the affected
entity may come back and say "See??? He's STEALING from us! Lock him up!" If
you've overpaid for something through their web interface that complaint and
issue goes completely away.

Second, if you're going to suggest that they contact you for assistance in
fixing it also suggest other options. My typical handling for this is with
hacked websites, so I'll basically say "Your website has problems X, Y and Z.
You should work with whoever you have working on your site to resolve these.
If you don't have anyone I may be able to assist you, or I recommend talking
with a firm like Sucuri.net which has dealing with and preventing issues like
this as their primary business. (My only link with Sucuri is having seen some
of their folks do presentations at trade shows.)"

~~~
taurath
3rd takeaway - don't do this in turkey unless you want to end up in a literal
Turkish prison.

~~~
detritus
4th takeaway - the Budapest metro system doesn't quite go that far...

------
angus-g
Side note: this page gives me the weirdest Firefox behaviour I've ever seen:
[https://gfycat.com/HandyRapidJabiru](https://gfycat.com/HandyRapidJabiru)

~~~
satyanash
I am having this exact issue.

\- Firefox 54.0.1 (64-bit)

\- Arch Linux 4.11.5-1-ARCH

~~~
angus-g
I'm on the 4.11.9-1-ARCH kernel, but same Firefox version. I'm only able to
reproduce with the Zotero addon enabled, are you using it too?

------
fredsir
We've seen two[1] cases[2] of this in Denmark in the last couple of years
surrounding systems that kindergartens are using. The second one is currently
(still) being investigated, but the first one was rightfully concluded earlier
this year with the "hacker" being acquitted.

In both cases, it was dads of children in the institution that noticed the
bugs when they were rightfully using the system and were ignored when
notifying the responsible party about it until they "shouted it so loudly"
that they couldn't be ignored anymore, in which case they were reported to the
police for hacking.

Links below are in danish, but they can probably be translated if needed.

1: [https://www.version2.dk/artikel/boernehavehackeren-
frifundet...](https://www.version2.dk/artikel/boernehavehackeren-frifundet-
landsretten-1074257)

2: [https://www.version2.dk/artikel/interview-hacker-tiltalt-
jeg...](https://www.version2.dk/artikel/interview-hacker-tiltalt-jeg-totalt-
uskyldig-1077581)

~~~
andai
Translated to English:

1:
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.version2.dk%2Fartikel%2Fboernehavehackeren-
frifundet-landsretten-1074257&edit-text=&act=url)

2:
[https://translate.google.com/translate?hl=en&sl=da&tl=en&u=h...](https://translate.google.com/translate?hl=en&sl=da&tl=en&u=https%3A%2F%2Fwww.version2.dk%2Fartikel%2Finterview-
hacker-tiltalt-jeg-totalt-uskyldig-1077581)

------
pmoriarty
_" this outrageous move from the police brought about fierce reaction
resulting in tens of thousands of 1-star reviews on the facebook pages of the
companies involved"_

In the old days, protesters used to physically go and picket in front of
company offices. These days, protesters leave one-star reviews. I wonder which
is more effective.

~~~
atleta
Yep, a few people were frowning, especially since the democracy is in pretty
bad shape in Hungary right know. However, in this case it works: it will be
seen and remembered longer this way. Also, there were quite heated discussions
on facebook, the case received a lot of attention even from non-tech people,
the guy will be represented by the lawyers of a human rights association, etc.

And actually there will be a protest in front of the office of the Public
Transport Authority tomorrow. But I think in this case, the online petitioning
worked pretty well.

~~~
ahoka
"democracy is in pretty bad shape in Hungary right know"

I thought that Hungary has a democratically elected government. Did I miss
something?

~~~
praptak
"Democratically elected government" does not imply "democracy is not in bad
shape".

~~~
jacquesm
We have several examples of such situations right now.

------
SeanDav
Although deeply unfair, this is not unusual, there have been many reported
cases of companies shooting the messenger.

Unless the company concerned has a well documented and trusted bug bounty
procedure, it can be very risky to report a bug in a system, if it involves
any kind of hacking.

What happens is once the "bug" is reported, someone inside the company asks
"How did this happen?". Now the person responsible has 2 options, admit it was
their fault and the vulnerability exists and risk being accused of
incompetence, or say that the system was hacked.

Human nature being what it is, one tends to complain of being hacked, thus
snow-balling effects, which lead to the arrest of an 18 year old just trying
to help.

My advice: Don't report these types of bugs at all, or if you really feel you
must, report anonymously.

~~~
lerpa
One thing that solves this is stating the obvious, something getting hacked
means someone was incompetent.

~~~
andai
Indeed, I fail to see the distinction. Perhaps "hackers" have some kind of
mythical superpowers in the eyes of the common folk.

"There was nothing I could do boss! He's a hacker!"

------
abecedarius
> the poor 18 year old 'hacker' who was stupid enough to email them

s/stupid/trusting/. There's no reason to think this guy isn't bright, and he's
faced enough trouble without piling on.

~~~
infinisil
I believe the author meant it to sound sarcastic

~~~
abecedarius
It's definitely a jab at the company, but seems to cast a little shade too on
the bug-finder. Cf the lede "The amount of stupidity in this story warrants
that this is going to be somewhat long". That might not be the author's
intent! I hope they'll see this as helpful.

------
anujdeshpande
Sounds a lot like what happens here in India [1].

Also, if such behaviour is systemic, how should we bring about the paradigm
shift in handling such events? Such incidents will happen more often across
the world as e-governance becomes more predominant.

1 - [https://thewire.in/119578/aadhaar-sting-uidai-files-fir-
jour...](https://thewire.in/119578/aadhaar-sting-uidai-files-fir-journalist/)

------
chx
> We knew that they have been working on an NFC/smart card based system for
> around 4 years, without any visible result despite having spent over 4
> million EURs.

The public procurement process for the current system called RIGO was indeed
2013 but the whole process is much, much older than that. A more than 300 page
feasibility study was published in 2011
[https://www.bkk.hu/apps/docs/megvalosithatosagi_vizsgalat.pd...](https://www.bkk.hu/apps/docs/megvalosithatosagi_vizsgalat.pdf)
And a completely different system, called Elektra was announced in 2004 with a
2006 deadline.

This whole clusterfuck with RIGO starting in less than a year was absolutely
unnecessary since the 2011 study already suggested supporting contactless
credit cards so once RIGO starts the only ones using this online ticket
purchasing system will be those who have a credit card but not a contactless
one. This is a (very) rapidly shrinking audience.

------
skinnymuch
The list of bullet points of the egregious flaws in the software just get
worse and worse. It's crazy how I thought the first one or two would be the
worst since, but it just got worse.

~~~
gargravarr
It's 20 freaking 17. How can people release software with these totally
elementary mistakes? Just one is bad enough, but... admin/admin?? This is
easily worthy of a Daily WTF article to itself.

And this software was written by a professional contractor - pretty sure you'd
get better quality from a kid fresh out of university, because on my course,
it was drilled into me - NEVER TRUST THE CLIENT BROWSER!

Companies need to understand, if they want an internet presence, no matter how
strong the laws are in their own country, laws don't stop a crime in progress,
especially when all they need to do is send a fairly simple message to the
website. Computers are dumb, they do what they're told. Giving anyone the
loophole to tell them to do something you didn't intend is asking to have it
exploited.

Going after the messenger will solve nothing. The guy who discovered the
payment flaw could easily have kept quiet, letting others discover it, or
quietly told his friends, who tell their friends, ad infinitum, and suddenly
the whole country is buying valid passes for a penny, costing the company a
hideous amount of money. Prosecuting the whistleblower will actually hurt
their bottom line.

~~~
Zekio
"NEVER TRUST THE CLIENT BROWSER!"

Isn't it mostly in multiplayer game programming where this gets said over and
over "Never trust the game client" even though it should be said in all
aspects of programming really

~~~
gargravarr
I would have ended at 'client' but figured it could extend to the human
(although that's true too). But yes, there is still so much naivety in
implementing distributed or client-server systems that they should trust input
from remote sources.

------
TimJYoung
The software industry better start investing more in educating the general
public/government officials about how web applications work, or this is only
going to get worse with technologies like WebAssembly in the hands of similar
companies. If anything, people need to understand that these endpoints _can_
be accessed without a browser, and we can't be arresting people/hauling them
in for questioning for sending _bad data_ to such an endpoint. After all, what
does "bad data" even mean in such a context ?

Also, a question: does the EU have the legal concept of "fair use" ? I would
have thought that messing around with a web application would fall under fair
use, given that the web application can, and probably will, be stored on a
person's computer. A computer that they (also probably) personally own, I
might add...

------
jccooper
This sort of thing teaches people to exploit or ignore rather than report.
Anyone who reports should be commended, even if they did real hacking (which
using dev tools on a web browser is not.)

Someone's going to probe your system; you should be glad to hear about it in
email rather than in the news or your accountants or from angry customers.

------
nthcolumn
Someone pointed out to me the other day that just connecting to a poorly
configured system is illegal in some places (Finland in his case). A form of
trespass he said. This was a ship in international waters registered in Russia
Federation so not sure whose law applies lol. Perhaps if there were more cases
where full advantage was taken of such incompetence with spectacular
newsworthy results then people would be more appreciative of the work we do
and the laws changed to protect whistle-blowers and activists generally.

------
minusSeven
> someone found out that the admin password was adminadmin and managed to log
> in using that.

Wtf ,I thought I was bad at my job.

~~~
andai
Conversely, the person who set it to adminadmin probably thought they were
doing a great job.

------
pmoriarty
_" if you just typed in the url (shop.bkk.hu), the site just wouldn't appear.
At first I thought they've taken it offline, but it turns out that they just
didn't set up the http -> https redirection. And it was left like that for
days. If you just heard about it, you couldn't use it. You had to click a link
(normal users won't figure out to put an https in front of the host name, even
I didn't think of it)."_

I'd really like to know which of these is the better solution.

It seems to me that if people go to the http address, they could be redirected
to an attacker's address with a simple MITM attack. So there's an argument to
be made for not using http at all, even for a legitimate redirect, because it
can be so easily MITM'ed.

On the other hand, if the http address is left unused, then people who try it
anyway and it fails will be confused. For this solution to work, it seems the
users have to be educated to always and only use the https address.

For these reasons, the whole separate http/https scheme seems broken by
design.

What's the consensus from the security community as to the right setup here?
Am I missing something, or is there a better way?

~~~
biot
Not having an http site doesn't help in a MITM scenario as the attacker will
happily serve up an http site even if you don't.

~~~
Darkenetor
The only solution is to always go for the HTTPS resource disregarding any
suggestion. On browsers a strict configuration of Smart HTTPS [0] covers that,
for everything else I think the best solution would be to intercept all HTTP
traffic, request the HTTPS counterpart (and decide if falling back on failure
is acceptable instead of just dropping the connection), then serving locally
the decrypted response. Worse than properly requesting the right one from the
start but harder enough to exploit.

[0] [https://mybrowseraddon.com/smart-
https.html](https://mybrowseraddon.com/smart-https.html)

------
beters
When I was in Budapest a few weeks ago, I heard from multiple locals that the
metro system was owned by some sort of mafia. I wonder if that explains the
subpar security and overreaction to the bug report.

edit: a few weeks ago, not this past summer that is still occurring

~~~
atleta
I'm not aware of any actual mafia. They were almost certainly metaphorical and
they must have been just bashing the local government. Because what they do is
really a shame. One of the lines is de facto in a life threatening condition.
Trains caught fire multiple times. Instead of being replaced, the 40 year old
cars are being refurbished/modernized. This has something to do with the EU
(they gave money for this, but not that). There was a tender, but miraculously
it was the Russians who won it, despite their offer was quite a lot more
expensive than that of the Estonians. And of course, as it happens with
corruption, they failed to deliver a properly working version, so after a few
weeks of testing, the first few trains were sent back.

About the security (or rather the extremely low quality) of the eTicket
system: that was developed by a 3rd party that belongs to the Deutsche Telekom
group, and that company is indeed quite a high profile system integrator
working with a lot of large companies, banks, etc. So it's a bit of surprising
(even if corruption is involved) that they released it in this form. Actually
I'm surprised by these bugs even for a prototype that was forcefully pushed
out of the door, because you just never do these things in the first place.

~~~
inferiorhuman
> Instead of being replaced, the 40 year old cars are being
> refurbished/modernized.

Age seems like a bit of a red herring to me. Here in San Francisco BART cars
are about that old, Muni runs 90 year old Italian trams and American ones that
are close to 70 years old. And, of course, the cable cars. BART bears about
the worst of it because many parts are no longer available.

~~~
atleta
Interesting point. Don't forget that this is 40-50 year old Soviet technology
:). And cars are actually in pretty bad shape, well over their planned
lifetime of 30 years (AFAIK). Full of rust, sometimes catch fire. The drive
system is also problematic, because it doesn't have regenerative breaking so
the cars heat the tunnels quite a lot which is pretty bad during the summer.

They are in such a bad shape and/or hard to rebuild that not much remains of
the original during the refurbishment.

~~~
kodfodrasz
Actually the Russian company and the tender has received attacks that the cars
are actually new, only some identifiers have been transferred from the old
cars, as Metrowagonmash had a dozen or so surplus cars of the type the used
cars were supposed to be upgraded to.

------
ikeboy
>Didn't any of the engineers on the team tell their managers that something
isn't right? I find it hard to believe.

Or, the managers knew full well the system was shit and they had no time to
fix it, but 80k/month is 80k/month.

~~~
oblio
This is Hungary we're talking about, more likely it was 24k or less.

~~~
ikeboy
The article says

>BKK pays T-Systems 80kEUR/month to operate this system.

If you were offered that, would you turn it down because you can't actually
deliver a secure system in time?

~~~
oblio
Oh, I missed that part, I thought you were talking about programmer salaries
:)

------
odabaxok
All I can think about, what a shame can this be for the developers releasing
this software. There must have been a bunch of people working on this and
wasn't there no one to say this is wrong?

------
minademian
this reminds me of a dark joke.

a rabbit was detained by the secret police. the interrogator asks him, "what
are you?" the rabbit says, "rabbit"

They torture, beat, and electrocute him for days.

Then, the interrogator asks him, "who told you you're a rabbit?"

------
qualitytime
Once there was this website which offered phone number to location service.

They had a form you could try the demo where it sent an SMS to verify and only
allowed one query.

If you looked at the source of the page it had hidden fields to override the
SMS verification and allow multiple queries.

I freaked out some friends for the day and nearly contacted a journalist but
lost interest after some weeks.

I could have had my 15 minutes of fame or be on some list, or both.

It's alright, had some fun.

------
StreamBright
Actually he exploited the bug and purchased a ticket for the fraction of the
price and than reported it to the public transportation company. The company
that runs the infrastructure (not the public transportation one) followed its
internal policy and Hungarian law reported the incident to authorities. Police
brought in the guy for questioning.

~~~
nithinm
By purchasing the ticket, he was confirming the vulnerability. I am sure he
knew that they would cancel the ticket when he reported it. I don't find any
wrong doing here.

~~~
StreamBright
And you think that this is going to be enough at the court?

Have a look at this list, many of them thought they are not doing anything
wrong:

[https://en.wikipedia.org/wiki/List_of_computer_criminals](https://en.wikipedia.org/wiki/List_of_computer_criminals)

The point is that we live by the law, not how you feel about a certain action.
I agree that the law is a bit problematic but regardless we cannot cherrypick
which law to follow and which not.

~~~
kowdermeister
Yes, that should be enough. You won't get into any trouble if you break a
window when the house is on fire. This time, the site was on fire.

------
secult
We had a similar case - National security authority(NBU SR) of a neighboring
country got their public web infrastructure hacked after guessing credentials
(nbusr:nbusr123). In the end, guys got free after trial because police were
unable to unambiguously identify them.

------
aries1980
Open-source implementation of the password cryptographic method.
[https://github.com/moszinet/BKKCrypt](https://github.com/moszinet/BKKCrypt)

------
SubiculumCode
All I want to say is something off topic,but the only vacation I've had away
fro m the kids and with my wife was a week in Budapest, and I miss it. Such a
beautiful city, so romantic...and I rode the metro everywhere.

ahh Budapest.

:-)

~~~
SubiculumCode
not to mention the US dollar spends well there. I felt rich and I am just a
potdoc

------
triacus
The Hungarian Government Incident Response Center (GOVCERT_Hungary) provides
the opportunity to report security vulnerabilities for everyone in an
anonymous manner: [http://www.cert-hungary.hu/node/397](http://www.cert-
hungary.hu/node/397)

Better late than never...

------
dogmata
I wonder if the outcome would have been the same if instead of marking the
price down from 9500HUF to 50HUF it was 9499HUF, the test would have still
proved the issue.

------
ohthehugemanate
As a Deutsche Telekom client, I can say that this quality level is par for the
course for T-Systems. Not surprised at all.

------
wooptoo
Just don't bother with companies who don't have a bug bounty system in place.

------
Aissen
I thought some CERTs were now doing the reporting as way to shield security
researchers from this kind of things ? Or did I hear wrong ?

------
shanky1323
THIS --> "someone found out that the admin password was adminadmin and managed
to log in using that."

------
willhackett
A sure-fire way to let vulnerabilities go unnoticed and unfixed.

------
daef
is HN hugging shop.bkk.hu to death?

~~~
daef
visiting [https://bkk.hu/](https://bkk.hu/) (and watching the dev console)
shows that they obviously develop their page http-first (various resources
won't load in firefox due mixed http(s))

~~~
daef
and after switching to english the search on the top of the page is broken

~~~
daef
check robots.txt -> wordpress... seriously?

------
Negative1
The price of a ticket was client-side authenticated!? I can't fathom the level
of incompetence required to do something like this...

~~~
netsharc
"Budapest's new e-ticketing system uses state-of-the-art JavaScript to deliver
a smooth user experience, combining a great React front-end with a micro-
services node.js backend!" \- marketing blurb I just made up, needs more
buzzwords though.

~~~
jaclaz
...stateless cloud interactive real-time connection through highly
sophisticated authentication featuring dual way private/public key encryption
services with single use time-limited tokens ...

~~~
krylon
Don't forget the blockchain! It needs more blockchain! ;-)

~~~
freeflight
Also wouldn't mind some "cyber" in there :D

~~~
jaclaz
... cyberspace with optional IoT interfacing ...

(I had completely forgotten IoT)

------
lightedman
Not just reporting it, but having actually exploited it to confirm before
reporting it, even if just to test. That was the wrong move.

What should have been done was the second he had the thought that such a
vulnerability could exist, he should have notified them that he believes that
there is a possibility for one to alter the site code locally to gain unfair
pricing, and to ask them if either he could check for them or if they could
check using his proposed method.

The second you actually test without permission, you've committed a crime.
Jury/court might look at intent later on, but for now, you've committed a
crime and are thus subject to arrest.

~~~
krallja
How do you know if the server validates the price or not, without testing it?

Do you report every site that uses HTML forms for being insecure?

------
kutkloon7
Not really related to the technological side of the story, but I had a
horrible experience with the international trains from Budapest. So they don't
need a broken electronic system to provide a horrible service ;)

My parents went to buy a ticket at the counter. The lady behind the counter
didn't speak English (which is totally OK). Her only communication was a 'go
away' movement with her hand, after which she ignore us and signaled for the
next customer in line to come to her.

Luckily a colleague of her helped us and gave us careful instruction on the
time and platform of the train. After we took the train and sat for a few
hours, the conductor of the train came and notified that our tickets were
invalid. We argued for some time since the lady behind the counter told us
this was the right train. The conductor became mad and told us that we had to
pay him 50 euros in cash for some unknown reason (presumably to buy a ticket
for the train we were on, but his English was very limited). Note that this
was a normal train and there was no shortage of seats. In the end, we chose to
get out at the next stop, and take the next train, which was about 3 hours
later.

