A teenager trying to help the Budapest Transport Authority (BKK in Hungarian) patch its online payment system was instead arrested for his good deed and accused of launching a cyberattack against the organization.
The BKK had recently launched the online payment system in preparation for the FINA world championships in Budapest. It built the system over three months with the help of Deutsche Telekom’s consulting arm, T-Systems Hungary.
The teenage “hacker” was far from the only one to notice the system’s many vulnerabilities. Others criticized the site’s totally secure CAPTCHAs and one administrative screen whose password was set to “adminadmin.” The 18-year-old, a high school graduate, noticed that it was possible to press F12 and change the price of the ticket within the browser, then purchase the ticket at that price.
The boy used the loophole to purchase a monthly ticket for 50 HUF (about $0.19 USD) instead of the regular price of 9,500 HUF ($36.23 USD) – something anyone with a passing knowledge of modern browsers would have been able to do, he said, as it was an “amateur bug.”
The so-called hacker then immediately contacted BKK to demonstrate what he’d been able to do so that they could patch the system. After four days without a response, the hacker found himself being brought in for questioning by the police.
“I did not use the ticket,” the accused said in a statement on Facebook, which has been translated from Hungarian. “I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).”
Neither the BKK nor T-Systems took any responsibility for the bugs, claiming that there was nothing wrong with the system and that all holes in the software had been patched.
T-Systems said the hacker had not contacted company officials, and therefore the company had had no choice but to press charges against the unknown offender. However, the contractor suggested that, if the hacker’s motives were indeed on the up and up, they may like to collaborate with him in the future. For ethical hacking only, of course.