Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
EU Businesses Facebook Security Social Networks

Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest (bleepingcomputer.com) 295

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

This discussion has been archived. No new comments can be posted.

Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

Comments Filter:
  • by Anonymous Coward on Sunday July 23, 2017 @06:33PM (#54863903)

    Never try to help souless corporation.

    • by ma1wrbu5tr ( 1066262 ) on Sunday July 23, 2017 @08:29PM (#54864281) Journal
      Seems like they just CNNed themselves. Bwahahaha!
    • by Anonymous Coward on Sunday July 23, 2017 @10:10PM (#54864631)

      Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

      People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

      A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

      • by e r ( 2847683 )

        People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

        Ayn Rand, is that you!? We all thought you were dead! How did you--? I mean, seriously, we thought you were dead!

    • by Gondola ( 189182 )

      Something similar happened to me in college 20 years ago. I reported that they had an insecure network mount, and they gave me a written warning that went on my record, and almost banned me from the computer services entirely -- which would have made writing papers and doing research impossible since I didn't have them at home.

      This is why people aren't nice to each other.

  • by bjdevil66 ( 583941 ) on Sunday July 23, 2017 @06:49PM (#54863951)
    That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

    The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.
    • by Sique ( 173459 )
      The manager who authorized that embarrassment was the owner of the shop himself. So he has to fire himself.
  • "Unjust arrent" (Score:5, Insightful)

    by Anonymous Coward on Sunday July 23, 2017 @06:56PM (#54863969)

    While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

  • by FeelGood314 ( 2516288 ) on Sunday July 23, 2017 @07:01PM (#54863983)
    This company has no clue how eCommerce works. They actually are double handy capped in that they don't even know what they don't know so they likely had a false sense of thinking they actually did understand things. If you use the website as intended you can't change the price. I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

    Kálmán Dabóczi, BKK, the police and the judge who issued the warrant all owe this kid a big apology. However, not everyone can understand everything and it is reasonable to expect that sometimes you will get unlucky and get a company and a few members of the police who have almost zero understanding of a subject and make a stupid mistake. The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib. Hopefully they were professional about the entire thing. Kálmán Dabóczi has likely learned a very hard lesson so let him apologize and get to work. He now has a pile of free penetration results to deal with and possible the job of selecting a new supplier for the website.
    • by Luthair ( 847766 )
      Actually, you need permission of the site to test their security. Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.
      • by Anonymous Coward

        No, this was more like someone leaving a note for me that my door was wide open.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Actually, you need permission of the site to test their security.

        I got permission from the site. I asked it for access, and it gave me access. It's not my fault that the human operators of the site never intended for me to have that access, all I know is what the site is letting me have access to.

        Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

        Except the guy in my living room didn't pick my locks, my crazy ex let him in. It's not that guy's fault for not knowing that my crazy ex did not have the authority to give him access to my living room. All he knew was that this person is standing in the doorway inviting him

      • by TheReaperD ( 937405 ) on Monday July 24, 2017 @02:18AM (#54865095)

        Except, he did not hack their site. He did not penetrate any servers, exploit any passwords or do anything to their systems. What he did do was make a change to his web browser that altered the price of the ticket and because their systems are designed so badly that it changed the price of the actual ticket so he could set his own price for tickets. All without having to hack their servers. This was allowed to happen because the company disregarded one of the first rules of IT security: Never trust the client to enforce security. In reality, this statement can probably be shortened to "Never trust the client."

      • Car analogies only at /. please!

        This is like a car dealership putting the price of the car on the outside of the windscreen, you go up to the car and changed the ticketed price by changing the price form £9,000 to £8,000 by joining the 9 up. You then go tot he salesman and purchase the car at the price you changed it to, salesman sell it to you at that price. You later tell the dealership they should put their pricing behind the glass in the locked car so the price cannot be manipulated.

    • by stephanruby ( 542433 ) on Sunday July 23, 2017 @07:31PM (#54864097)

      I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

      Even if that's true, that thinking doesn't explain why the kid would report it as a bug.

      No, the only possible reason to call the police is if the books didn't reconcile at the end of the night and no one had read the bug report submitted by the kid yet (or may be someone read it, but had not told Kalman yet). That's the only possible justification.

      And yet, that doesn't seem like this is what happened (at least, the article makes no mention of that possibility). So if Kalman Daoczi really did call the police after having read the bug report, he should be arrested himself for filing a false police report and wasting the police's time. Calling the police after someone has immediately turned them self in is a vindictive action and a complete waste of police resources.

    • The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib.

      They would have, had this taken place in the US (or, tellingly, a 3rd world totalitarian state) instead of Hungary. If little Bou Bou gets a flashbang in his crib because they're looking for someone with petty non-violent drug charges, and shooting dogs is the police's favorite sport (one cop has shot 60 himself now)... imagine an evil computer hacker interfering with an American company and their God-given right to earn profit, a far more serious offense.

  • Well then (Score:5, Insightful)

    by Anonymous Coward on Sunday July 23, 2017 @07:02PM (#54863985)

    I guess security researchers and hackers now learned a lesson.

    Find a bug? Exploit the f**k out of it. Don't bother reporting it.

    • Re:Well then (Score:4, Interesting)

      by Solandri ( 704621 ) on Sunday July 23, 2017 @07:29PM (#54864091)
      No, the current response is the correct one. There are lots of companies out there which will take a bug report, fix the bug, and thank you. Some will even pay you a bounty.

      Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see because a black guy robbed the local convenience store. The correct response is to single out the responsible criminal / stupid company for reprisal. Like is currently happening to this company.
      • by Uberbah ( 647458 )

        Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see

        Wow. Where any shrooms involved in the formation of this analogy? Why don't you go pay a visit to Eric Garner's family and tell them that taking advantage of a web site's shitty security to get cheap tickets is just like their dad being strangled to death on the street. You might wanna bring a cup and a mouth guard.

      • by AmiMoJo ( 196126 )

        My policy is to report the bug if the company has a reasonable looking bug bounty programme. Such a programme demonstrates that they probably have the right attitude, and even if it's just a trap you can point to it in court as evidence of your good faith.

        If there is no bug bounty programme I'll either ignore it or report it anonymously to a relevant mailing list. If the company has a contact email address (not a web form) then I'll CC them in.

        Anything else is too risky. If you want responsible disclosure,

        • Make an infographic of how to do it, and post it to 4chan. The company will find out they have an issue in no time if you do that!

    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Monday July 24, 2017 @07:06AM (#54865873)
      Comment removed based on user account deletion
    • I could never recommend exploiting a found defect. Its unethical and really the reason that we have to have laws. Obtaining free tickets this way isn't really much different than shaking them out of a vending machine (assuming you don't damage the machine). But if a company doesn't have an established bug bounty program, I would *never* contact them with a defect report. I would definitely sell it on one of the markets for these. It's just less risky. Until there are laws protecting people who report
  • Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

    Surely no e-commerce site should rely on client-side validation? That seems like asking for trouble.

    • But JavaScript can do anything!

    • by Greyfox ( 87712 ) on Sunday July 23, 2017 @07:23PM (#54864075) Homepage Journal
      None should, that's not to say they don't. I worked for a company a while back that was dipping its toes into the google web toolkit, which allows you to write your web page's UI in Java and then converts it to Javascript. They ended up doing all their authentication on the client side, so you could just make a web request to the backend and create arbitrary users in any organization in the billing system. That included administrative users. When I reported it, the team writing the code said something to the effect of "You're just making calls to the backend! No one would ever do that!" That attitude is surprisingly prevalent in the industry.
      • by AmiMoJo ( 196126 )

        Last week another company set up an FTP server for one of our older products to send data to. I know, FTP, but this thing predates my joining the company and it does actually work quite well. Anyway, they were having trouble so we logged in and found ourselves dumped into the root of their Linux server. We could see everything and seemed to be running at root.

        I emailed them about it and they said it was fine because the machine was "isolated".

    • You should not rely on it but you definitely should use it. Client side validation is something you use to help pre filter information that is going to be rejected by your server and can be very handy, e.g. users setting a username or password or even an address, if the format is invalid and will be rejected server side then you may as well save the server the processing time.. You don't use it as a security mechanism though!
  • I'd be more impressed if the facebook hive mind did something about this [youtube.com].
  • by mpoulton ( 689851 ) on Sunday July 23, 2017 @07:11PM (#54864025)
    ...for your own reviewing and commenting enjoyment: https://www.facebook.com/bkkbu... [facebook.com]
  • That way, no accusation of getting financial gain from the "hack" would have been possible.

    As to the site, these people are the worst of the worst of incompetents. Even an ElCheapo pen-test would have found that problem. Likely the hugely inflated price for system maintenance goes to some equally incompetent and thoroughly corrupt friend or relative of the CEO and that would also explain the brain-dead reaction.

  • Don't report bugs (Score:5, Interesting)

    by Andy Smith ( 55346 ) on Sunday July 23, 2017 @08:41PM (#54864323)

    I found a similar flaw in a supermarket's self-service tills. Didn't report it for this very reason. I don't purposefully look for bugs/exploits, but if I did spot any more in future then I wouldn't report those either. My heart tells me to report them, but my head tells me no.

    • Re:Don't report bugs (Score:5, Interesting)

      by martyros ( 588782 ) on Monday July 24, 2017 @02:44AM (#54865149)

      I found a bug in the website of a company I wanted to order tiles from; but because of the vagaries of the website, I wasn't actually sure it was a bug until I'd placed the order and had it delivered at a 90+% discount.

      Normally their prices were placed in £ per square meter, but they sold individual "sample" tiles for a reduced price. In this case I'd ordered a number of sample tiles and then decided the one I wanted. Rather than go through the website and search for the name again, I went to the "My orders" section of the page and clicked the tile I had decided to order. Conveniently, they had a "Order more" button on that page, so I clicked it.

      Now, the price per square meter was £30, and the price of a single sample tile was £2.50. When I clicked "Order more", my basket showed a single number ("1") with a unit price of £2.50 -- but no description of what the unit was. I changed the count to 18 (the number of square meters I wanted) and clicked "Update price", and it was set to £45. But was I ordering 18 individual sample tiles for £45 (which would also have been a bug -- you're only supposed to be able to order one at a time), or 18 square meters of tiles? And anyway, surely some check at the other end would stop it if it really were a mistake, right?

      Nope. Three days later a palate containing 18 square meters of tiles showed up -- £720 of goods for £45 + shipping.

      I was at that point genuinely torn between wanting to DTRT and being afraid of this sort of reaction described in this article. I did write them an email, spinning the whole thing as an accident, and they simply asked me to pay the difference up to the actual price of the tiles, with a 15% discount.

      Being well into adulthood rather than a teenager probably helped; as well (probably) as being an actual customer who was purchasing their product, rather than someone clearly identifying themselves as trying to break in to their systems.

      Hope they got their website fixed -- the company overall is a good company, and I'd be sad to see them lose money because they were good at tiles and bad at javascript.

  • I'm not one for advocating laws but looking at this and seeing the obvious effect it's going to have on white hat security vigilantes (saying nothing or being turned grey/black hat by corporate, egotistical, twats covering their own arse) the only solution seems to be to create laws to protect the white hats.
    Laws like those which protect freedom of press and speech.
    If you haven't benefited from your discovery and research then you can't be prosecuted.
    Instead of reporting to the corporation report to a gover

  • I don't report bugs to the company. I may report it to their ISP, but usually I don't bother in the sense I don't go looking for bugs.

    I don't know, but isn't there a bug reporting system that will allow anonymous communication? If not, maybe that's something CERT could look into sponsoring.
    Sort of like the old abuse.net system, where you could register "Hey, this is where we take spam reports seriously." That way the clued in sites will let the whitehats know their reports are taken seriously, and the white

  • I haven't been on Slashdot much lately, but is that the new euphemism for hacking?

    The simple rule is don't poke around someone else's defenses and then get mad when they treat you as a threat. How would you feel if someone told you "Hey, I've been trying to break into your house lately and just realized your bedroom window is unlocked!" ?

    • by Sabriel ( 134364 )

      A lot less appreciative than if they'd told me "Hey, sorry, I have an obsessive-compulsive disorder about checking locks and yours aren't working."

      One is a burglar in search of a Darwin Award, the other is a good samaritan in need of therapy; having the police arrest the latter is the act of an asshole.

    • No, it's not new, and this isn't poking around in defenses, simply because there was a complete absence of defenses. The programming terms for the missing class of checks are input validation and sanitation.

      This was the equivalent of someone handing you an order form where you fill in both price and quantity, you filling in the wrong price and handing it back, then them reading your price and going with that, no comments. And after you instead of using the incorrectly priced service told them they should pe

    • Not a good analogy at all. He wasn't in someone else's house. Nor on their porch, nor their property.

      Everything he modified was on his computer. They dropped a bunch of stuff into his browser, he modified it on his end, and they loaded the info from his computer back into theirs and took it as true.

      That is not at all similar to breaking and entering. In your analogy he never left his own house.

  • Since they are so insistent on their system being secure when it clearly isn't, wouldn't it be funny if someone sold themselves a ticket with a negative value attached, thereby crediting themselves a large sum of money?

  • by Anonymous Coward on Monday July 24, 2017 @03:35AM (#54865263)

    The online ticket selling system in question was developed by the hungarian branch of Germany-based global giant T-Systems group. Although "developed" seems a bit of an exaggeration, since it looks like about half of the system was merely "painted on the wall" in very rough draft code and at an early stage of perparadness, but the whole infrastructure was duressed into live operation prematurely.

    The reason for such a hurry was the ongoing FINA 2017 would championship for aquatic sports, which Budapest and Hungary adopted only 2 years ago when the originally chosen host country (Mexico I think?) suddenly balked out. Pool swimming, water polo, sprint kayak are really big in Hungary, so the country was eager to take over, despite the little time left.

    Ever since, a huge amount of money was wasted on hurried preparations (including widespread and extremely costly corruption between politicians-bureucrats and construction company owners) and the event's budget skyrocketed to 4x times of the planned, tehreby taking away a lot of money earmarked for public education and the country's single-payer health system.

    While Budapest has a dense and well-developed surface mass transport system called BKK (formely BKV), the international airport at Ferihegy (BUD) is not yet served by an underground railway or a light rail link, there is only a stop-at-every-bush articulated bus line for it, which doesn't even reach the city centre.

    Considering the FINA 2017 event, another direct-to-city-center bus line was hastily introduced and politics wanted an online tickets / passes selling system for that, so the airport kiosks wouldn't be overwhelmed and look bad on TV news. (The leadership un-realistically expected hundreds of thousands, if not millions of foreign sports fans to visit Budapest for just the event.) Thus the "bright" idea of pressing into service a quarter-to-half ready online merchant system was born...

    BTW, the hacker who discovered the price fixing trick lived 300km (190mi) from Budapest and hasn't been to the capital for months, thus his pennys purchase of a name-assinged pass wasn't made maliciously. In fact it was the T-Systems branch, not BKK, which received his bug report and counter-reported him to police, climing their corporate legal policies require such step. Hungarian netizens have been smear-comment flooding the global T-group Facebook page ever since.

    • by Anonymous Coward on Monday July 24, 2017 @04:12AM (#54865369)

      Since I'm a local, let me also add this for the human resources aspect of the story:
      Another reason for the hurried introduction of the inscure, unfinished BKK online ticket sales system was that the Mr. Kalman Daboczy, whom the referenced article mentioned by name, is not the original leader of BKK.

      Before him there was David Vitezy, an admittedly weird, but very bright, internationally educated jewish boy, who got to form and lead the BKK at a young age, solely due to his family's high political connections yet turned out to be highly motivated. In a few years Vitezy introduced a computerized schedule-control system called FUTAR for over 1500 buses which revolutionized on-timeliness in circulation, a quantum leap from the paper-based BKV era and welcomed by all pax.

      He also introduced private sub-contracting for bus line operations with run-time based financing, which brought in hundreds of brand new low floor, low pollution Merc and Volvo vehicles to Budapest, where previously only Cold War era (!) left-over smoking wreckages circulated. He managed to extend the lenght of the city's most important tram line and furnish it with modern rolling stock by successfully claiming EU funds for development, which was considered impossible to get by all parties. He created a public bicycle-sharing system called BUBI from zero and integrated it with BKK. Genius, I'd say.

      Eventually Vitezy was sacked from BKK as he tried to reform traffic light patterns and lane use rights to prioritize bus and tram circulation versus private cars, which limousine-riding politicians vetoed. Mr. Daboczy, who replaced him is a "mameluk" i.e. a person whose only skill is loyalty to political superiors in executing orders without questions, including hurtful or stupid ones, and he is without creative talent. Ever since BKK has been stagnating and the city's population eventually questioned why no public transit development happens since Vitezy left? Thus the online ticket selling system was kind of an attempt to show off the new leadership's competence but it backfired spectacularly. The opposition is now demanding Daboczy's removal from BKK due to the scandal.

      BTW, when David Vitezy was sacked from BKK, the Port Authority of New York reportedly tried to woo him over to advise on future plans for public transport development in the skyscraper city. He declined to emigrate, probably the mistake of his life, as ever since he has been given mere "desk by the window" roles in Hungary. I'd say if he'd left for USA, maybe in 15 years he could have been properly groomed in America and come back as a potential future PM of Hungary. That, provided the russians don't conquer our country again in the meanwhile...

  • Go full blackhat or get fucked. I bet their server where customer information resides has gaping security loopholes too. Instead of punishing the company the try to kill the messenger.
  • You say "ludicrously simple" but in today's 8-week-bootcamp to "Javascript ninja rockstar" culture, I've all but given up on trying to explain to front-end developers why client-side validation alone isn't sufficiently secure. I explain it to them once, shrug off their uncomprehending stares and wait for them to implement what I just told them not to, demonstrate the "hack" in front of them, wait for them to protest that "well, anybody who is competent enough to think of THAT is surely unstoppable anyway!"
  • "The King Has No Clothes on!"

    I think in the original version the person that made that proclamation was promptly beheaded.

    If not, it should at least be mentioned.

  • Idly browsing one night, I discovered that all access controlled had been switched off our corporate network. Yes I could even open the CEO's home folder. It didn't take much brain power to realise that if I looked any further there would be time stamps on files that matched my shift time, so I didn't go any further (despite being curious).

    I waited until the morning and phoned a relatively junior IT team member and explained the security lapse to him (on the basis of anonymity), who then escalated the prob

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...