Security researcher arrested after he warns Hungarian transit company about their dumb mistake

Originally published at:

So, are they following Moscow rules?

*Just throwing a little Cold War spy humor into it because it feels like we’re getting dangerously close to that with the way corporations operate these days.


Don’t worry. There are 40K negative reviews for that company now.

That should save him.


From a recent NYT op-ed:

There’s an old joke from the Cold War era: Two trains pull into Warsaw’s Central Station — the westbound Moscow-Paris express and the return train from Paris heading in the opposite direction. A Frenchman peers out of the eastbound train, looks at the city and thinks, “My Lord, Moscow is every bit as gray as I expected!” A Russian on the westbound train takes a quick look around and exclaims, “Ah, que c’est beau, Paris!”

Replace Warsaw with Budapest, and literal beauty with politics, and I think it still works.


Go read the full article:

"The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price.

Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.

As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents)."

Well, there you go. He admittedly hacked the system and stole a ticket. (kid probably wanted credit for showing the bug.

Kinda sounds like upper middle management got caught in a rather hard place, and forced a police response due to the fact that they are complete idiots when it comes to programming skills.
Not to mention management skills.

We all know how slippery these hackers are.
Hell, Hollywood has been telling us for years that we’re only a step away from armageddon due to these nefarious types.


Zero Stars

Would Not Gulag Again.


That’s substantially worse than a lack of server-side validation. The server shouldn’t be expecting the client to provide the price in the first place, much less using it; at worst it should ignore it; at best it should treat the unexpected data as an error.

Well, maybe you could also use the client-submitted price to confirm that the price made it to the client and back unchanged, but that seems a little paranoid.

I think the most likely possibility is that this is an intentional bug that someone put in so they could get free tickets. You’d have to be really, really stupid to design it this way unintentionally.

I mean, if it’s actually a stateless process (no shopping cart on the server side linked to a cookie in the client), you can still quote a price to the user but include a salted cryptographic hash of the price/date/time/origin/destination/etc. that has to be sent by the client with the rest of the order so the server can confirm the quote is unaltered. But I’ve only ever seen that technique used for trivial things like expiring download links.

In former Iron Curtain, nothing is stateless!
Gosudarstvennost FTW!


The things that scapegoaters respond to might not be the same as you and I.

1 Like

This can actually be a legal requirement, if I were running this site like this and I show you $35 for the ticket, but while your deciding if you want to make the purchase someone buys the last $35 ticket, or ‘demand pricing’ kicks in, do you want to server to just go ahead and charge you $45 for the ‘new’ ticket price or warn you that the price is different? There are of course other ways to do this entirely server side, but I’ve seen more than a few systems that rely on on client side state to reduce server stored session information. And you point out ways to do it securely, but I don’t know that I would expect most ‘enterprise’ developers to know of, much less know how to, build a secure cryptographic signature for a transaction.

I’d guess large multi-part contracting arrangement. Group A is contracted to make the site front end, ticket price display, pricing database, etc. Group B is contracted to make the payment system. Group B has requirements like ‘Accepts a price and payment details, on successful payment send a recipt+ticket.’ And dumb implementation choices ensue.

1 Like

thats not hacking, that’s changing the terms of a contract and then a system foolishly accepting your changes and set up to do so.

It’s not even illegal as far as I know, in Hungary. It could be, but is a ticket not a two-way contract, with terms negotiable up to the time of purchase?


You’ll also need some chalk, and drawing pins. Don’t confuse the colour codes.


It is really common for Web developers not to be very security-aware. And so they code for the normal case, and they don’t think about what a malicious person will do. If you have the security mindset, you are never trusting user input and you are assuming that if there is any kind of interface into your system, attempts to abuse it will be made.


I don’t understand what you mean ?

The response is exactly why they don’t shut off the internet.

It decapitates the “emperors new clothes” response that huge protests engender.

“Let them eat clicks.”

Edit: 2 minutes of understanding from RSA animate on shared versus individual knowledge.

1 Like

Embarrass a petty bureaucrat of any sort and he or she will spend the rest of his or her life, if need be, in exacting retribution.

In countries where it is still illegal to “fail to give proper respect” to a government official (which can extended to failing to remove your hat when talking to him or using the wrong verb tense (too informal)), it will be ten times worse.

In a word where a normally tech-inclined large blog tells me that 45k one-star reviews show or mean anything I am willing to believe that, in nearly no-time, we will live under ground and talk with our hands, my dear @doctorow.

Even without any W3C DRM bullshit i don’t fully understand.

I’m on eHarmony, and the login isn’t secure (according to the newest Firefox) , that bothers me… I’ve got no financial info there and I guess the worst that someone can do is change my prefs to older ladies of size… might actually get some matches and messages!!

Tell Max I have two proofs.


That’s an indication that they aren’t using HTTPS. That’s freaking insane, considering the personal info they’re handling.

1 Like

I have seen a remarkable number of systems built exactly this way by people claiming to be professional web developers. Some with an impressive client list!

Of course, that in no way invalidates your point :wink: