An 18-year-old Budapest man was temporarily detained by police after reporting a security glitch in the cities public transportation e-ticket system which allowed users to set their own ticket price.
The cities public transit, Budapesti Közlekedési Központ (BKK), system was already plagued with vulnerabilities, nonexistent security controls such as storing passwords in clear text, improper permission handling, non https redirection, use of the admin password of “adminadmin”, and the ability for users to set their own ticket prices, according to Independent researcher Laszlo Marai in a July 24 blog post.
Budapest rushed the system to market on July 14 so that it would be available for tourists attending the FINA world swimming championships.
The teen, who reportedly didn’t even know how to program, spotted the “set your own price” flaw using a simple developer tool in the browser and noticed the price being sent back to the server when he was about to make a purchase and decided to alter the price.
When he noticed the transaction went through he immediately emailed the transit authority to inform them of the glitch. He later got an email that his pass had been invalidated. A week after the findings, news broke that the teen had been taken into custody, but had been subsequently released after only a few hours.
The BKK reportedly told the press it never received the initial report form the man who spotted the error contrary to screenshots taken of the exchange.