- Jun 9, 2013
- 6,720
The Budapest Transport Authority (BKK, in Hungarian) recently launched an online payment system with the help of a T-Systems Hungary, Deutsche Telekom’s consulting arm. The system, which took three months to build, was supposed to be installed in time for the FINA world championships in Budapest. The software, not unexpectedly for such a project, was full of bugs including the discovery of an administration screen with with a password set to “adminadmin.”
I would like to congratulate the devs / ticket controllers of @bkkbudapest on the rollout of the new e-ticket system. Very secure CAPTCHA! pic.twitter.com/TbkZKaHLwX
— vista (@vista_df) July 14, 2017
Government incompetence augmented by money-hungry consultants is nothing new. But what happened next is certainly something unique.
On or about July 14 an unnamed 18-year-old – “The boy is nobody. He’s not even a programmer,” said one Hungarian who wished to remain anonymous – emailed BKK about a hole he found in their system. The hole, if it can be called that, let anyone with passing knowledge of modern browsers to set any price they wanted for any ticket in the system. By simply pressing F12 a “hacker” could change the price of a ticket right in the browser, and because there were no server checks, they could purchase the ticket at that price. The 18-year-old “hacker” discovered this and showed BKK that he was able to buy a monthly ticket. “A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF,” wrote Laszlo Marai in his post on the attack.
Read More. Hungarian hacker arrested for pressing F12
I would like to congratulate the devs / ticket controllers of @bkkbudapest on the rollout of the new e-ticket system. Very secure CAPTCHA! pic.twitter.com/TbkZKaHLwX
— vista (@vista_df) July 14, 2017
Government incompetence augmented by money-hungry consultants is nothing new. But what happened next is certainly something unique.
On or about July 14 an unnamed 18-year-old – “The boy is nobody. He’s not even a programmer,” said one Hungarian who wished to remain anonymous – emailed BKK about a hole he found in their system. The hole, if it can be called that, let anyone with passing knowledge of modern browsers to set any price they wanted for any ticket in the system. By simply pressing F12 a “hacker” could change the price of a ticket right in the browser, and because there were no server checks, they could purchase the ticket at that price. The 18-year-old “hacker” discovered this and showed BKK that he was able to buy a monthly ticket. “A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF,” wrote Laszlo Marai in his post on the attack.
Read More. Hungarian hacker arrested for pressing F12
