Shortly after the Budapest Transport Authority launched a new e-ticketing system for its public transportation services earlier this month, Hungarian media reported the new system was riddled with security bugs. The first to notice was an 18-year-old living outside of Budapest, who found that he could easily edit the price of a ticket on the agency’s website by using his browser’s developer tools. He was able to buy a monthly pass worth the equivalent of $36 for $0.20. The teen then alerted the transport authority (referred to as the BKK in Hungary) and the media.
About a week later, on July 21, the teen was arrested. As far as law enforcement in Budapest was concerned, buying the ticket constituted hacking.
Following the arrest, Hungarian software developer Laszlo Marai wrote a blog post about the events, explaining that the e-ticketing system seemed to have been rushed to launch in order to accommodate an influx of visitors to Budapest for the FINA (Fédération internationale de natation) water sports world championship, which began the same day the new system was introduced. In the post, Marai detailed all the flaws found on the BKK’s website after the teen’s initial discovery.
One of those flaws was found by a Twitter user, @vista_df, who pointed out that the website’s captcha—meant to prove that a user is human—could easily be solved by a computer.
That user also found that rather than forcing ticket-holders to reset their passwords if they lost them, the system simply emailed their passwords to them in plain text, a practice that makes stealing accounts particularly easy for hackers.
But that wasn’t all. It was also discovered that the admin password for the website was “adminadmin,” and that the system left its users wide open to have their data stolen.
“After logging in,” Marai wrote in his blog post, “people were also able to get the data of other users (probably through manipulating the url, the news report was not 100% clear here).” Marai added: “To register, you have to provide your name, your address and an ID number (national id, driving license or passport).” All of those materials had the potential to be easily stolen by anyone with access to an account.
According to a Facebook post written by the teen who originally found the pricing bug, the BKK had initially responded to his email saying only that the pass he bought for $0.20 had been invalidated. Then, after stories about the bugs spread through Hungarian media, the transport authority took a different approach. The BKK, along with T-Systems Hungary, a subsidiary of Deutsche Telekom that helped build the e-ticketing system, said their systems had been repeatedly attacked by hackers, and that the teen in question had not alerted the authorities as he claimed.
“I personally feel for the young man concerned,” said a representative for T-Systems in a statement. “However, I would like to underline that under the given circumstances we had no other option but to press charges against an unknown offender (as the young man did not contact us).”
The teen, who was released from custody a few hours after he was arrested, later shared a screenshot of the email he sent to the BKK.
This is roughly what the email said, according to a Google translation:
I found a security breach on their website, in the basket when I pay the price of the product (POST request) for what I want. (I got a monthly ticket for 50 Forints) I did not use the pass, my aim was clear and good. I just reported.
In another post, the 18-year-old said wouldn’t have been able to use the ticket because, he said, “I don’t even live near Budapest.” Since his arrest was first reported, more than 47,000 users have left one-star reviews on the BKK’s Facebook page in protest.