18-year-old young man arrested for reporting a “childish” mistake in the new electronic ticket system of Budapest
The amount of idiocy in this story makes this note long enough, so I'll start from the end: as the title says, an 18-year-old young man was arrested two days ago for “hacking” a new Budapest e-ticket system, despite the fact that he immediately reported the vulnerability he found.
As the story spread on social networks, tens of thousands of reviews appeared on the Facebook pages of the companies involved with 1 asterisk (the operator of the Budapest Transport Authority, abbreviated to the Hungarian WCC), and T-Systems Hungary, responsible for electronic travel systems. T-Systems Hungary belongs to Telekom Hungary, which in turn is a subsidiary of Deutsche Telekom, the T-Systems trademark also belongs to DT, and they are a very large player in the market of the whole of Europe.
The story began a few weeks ago, when VKK announced the launch of a mobile version of electronic travel cards. Everyone, including me, was excited and surprised at the same time. We already knew that they had been working on a system based on NFC / smart card for over 4 years, with no visible results, but spending more than 4 million euros. The first questions that came to my mind were “Somehow too fast, without preliminary announcements and rumors” and “I wonder how they implement fraud protection and authentication mechanisms?” ...
The answer to the first question is at least a partial answer - they wanted to start the system before the start of the FINA championship in Budapest right now. Moreover, they planned to launch the system on the day of the official opening of the championship (July 14). Smacks a little, huh? First of all, you should not run such a system in a large city with a developed public transport system and 1.7 million people without serious testing. Secondly, you should not launch such a system during an event that attracts a huge number of tourists to the city. And third, it would be good to make the system available already a few days before the start of the championship, since many visitors arrive a bit in advance.
')
But the second question is much more interesting - how to make the system secure? All that was known was that the system would be online, on the web, i.e. No need to install any applications. Which certainly makes protection an even more interesting task.
What happened on launch day was unexpected even for programmers born in a small central (eastern) European country during the Soviet era. Of course, there were problems, of course, the tickets were easy to copy to other devices, but these were only flowers. Here is what we found:
The last vulnerability and was found 18-year-old young man. This story began with her. In his words, he did not even know how to program (he entered the university from this fall). He just used the web developer’s tools built into the browser (they are available to everyone), saw that the price was being sent back to the server at the time of the purchase, and tried to change it. A monthly pass costs 9,500 forints (about 30 euros), he set a price of 50 forints. Upon receiving confirmation of a successful purchase and receipt of a travel card, he immediately wrote to VKK via e-mail that they had a serious problem. In response, he received only an email stating that his travel card was canceled - and that was all. And only when they wrote about it in the press, and mass discussions of the above vulnerabilities began, WCC, together with T-Sytems, began to urgently cover their asses. They began to claim massive hacker attacks, that society showed itself not mature enough for such a system, that any system could be broken, but their firewalls prevented many attacks, that users used obscene names during registration, which they had to punch, etc.
One of the representatives of T-Sytems told a press conference the next day that they were happy to receive bug reports and that they had received one such report, which is clearly an illegal hacking attempt. And although he mentioned the attempts of SQL injection attacks, one can be sure that the talk was about an 18-year-old “hacker” who turned out to be stupid enough to write an email to them.
A week later, the news reported that he was detained by police at home (and released after a few hours). In a normal country, with a working democracy, naturally, the one who claims a suspected violation is not responsible for what the police have to do (and could at least say thanks). But in such a country the police are not satisfied with the seizure of one who does not pose a threat to society. Especially if it is illegal. And in Hungary it is still illegal. The only reason they did this was to scare them.
In the end, everything starts to look very, very bad for all participants.
Of course, you can ask, why was it so urgent to release a release for the FINA Championship? Let's forget about the staff of VKK, because this organization is governed by politicians. But how could a normal manager allow this garbage to go into release? Didn't any of the engineers in the team report to the management that something was going wrong? I find it hard to believe.
And again, was this related to FINA? Why did these guys act so rudely? In Hungary, people do not like much if they behave this way with them. Especially if politicians are involved. And about this unwarranted pressure on the guy who declared vulnerability. By law, what he did is not even illegal. He reported on the "unauthorized impact" on the system, which is covered by the paragraph "committing fraud using information systems", but the conditions described there have not been met. What calls into question that the police behaved correctly (or that T-Systems did not report all the information they have).
As the story spread on social networks, tens of thousands of reviews appeared on the Facebook pages of the companies involved with 1 asterisk (the operator of the Budapest Transport Authority, abbreviated to the Hungarian WCC), and T-Systems Hungary, responsible for electronic travel systems. T-Systems Hungary belongs to Telekom Hungary, which in turn is a subsidiary of Deutsche Telekom, the T-Systems trademark also belongs to DT, and they are a very large player in the market of the whole of Europe.
The story began a few weeks ago, when VKK announced the launch of a mobile version of electronic travel cards. Everyone, including me, was excited and surprised at the same time. We already knew that they had been working on a system based on NFC / smart card for over 4 years, with no visible results, but spending more than 4 million euros. The first questions that came to my mind were “Somehow too fast, without preliminary announcements and rumors” and “I wonder how they implement fraud protection and authentication mechanisms?” ...
The answer to the first question is at least a partial answer - they wanted to start the system before the start of the FINA championship in Budapest right now. Moreover, they planned to launch the system on the day of the official opening of the championship (July 14). Smacks a little, huh? First of all, you should not run such a system in a large city with a developed public transport system and 1.7 million people without serious testing. Secondly, you should not launch such a system during an event that attracts a huge number of tourists to the city. And third, it would be good to make the system available already a few days before the start of the championship, since many visitors arrive a bit in advance.
')
But the second question is much more interesting - how to make the system secure? All that was known was that the system would be online, on the web, i.e. No need to install any applications. Which certainly makes protection an even more interesting task.
What happened on launch day was unexpected even for programmers born in a small central (eastern) European country during the Soviet era. Of course, there were problems, of course, the tickets were easy to copy to other devices, but these were only flowers. Here is what we found:
- The system kept clear passwords and sent them by email if you asked to remind a forgotten password. This meant that for most people, those who accessed the system received access to their e-mail (Let's be honest, most users use the same password everywhere).
- Users could see the data of other users, just by changing the URL. There was no access control system in the application. People complained that they could access other users' profiles. Yes, during registration it was necessary to specify the name, surname, address and document number. And it had to be real, because this data had to be presented to ticket inspectors.
- If you simply entered a URL, (shop.bkk.hu), the site simply did not open. At first, I thought it fell, but it turned out that they simply did not redirect from http to https. And it lasted several days. If you have not heard about it, you just could not use the system.
- Someone found that the admin password was adminadmin, and was able to log in under this account.
- Of course, the tickets could be easily copied, users even posted a video with how they went through the control system with copies of tickets 10 times. The controllers used the QR code scanner only twice (the majority simply did not have scanners), but even then they did not find anything suspicious (for some reason not surprising).
- And the funny thing is - you could set the price of the ticket you buy yourself.
The last vulnerability and was found 18-year-old young man. This story began with her. In his words, he did not even know how to program (he entered the university from this fall). He just used the web developer’s tools built into the browser (they are available to everyone), saw that the price was being sent back to the server at the time of the purchase, and tried to change it. A monthly pass costs 9,500 forints (about 30 euros), he set a price of 50 forints. Upon receiving confirmation of a successful purchase and receipt of a travel card, he immediately wrote to VKK via e-mail that they had a serious problem. In response, he received only an email stating that his travel card was canceled - and that was all. And only when they wrote about it in the press, and mass discussions of the above vulnerabilities began, WCC, together with T-Sytems, began to urgently cover their asses. They began to claim massive hacker attacks, that society showed itself not mature enough for such a system, that any system could be broken, but their firewalls prevented many attacks, that users used obscene names during registration, which they had to punch, etc.
One of the representatives of T-Sytems told a press conference the next day that they were happy to receive bug reports and that they had received one such report, which is clearly an illegal hacking attempt. And although he mentioned the attempts of SQL injection attacks, one can be sure that the talk was about an 18-year-old “hacker” who turned out to be stupid enough to write an email to them.
A week later, the news reported that he was detained by police at home (and released after a few hours). In a normal country, with a working democracy, naturally, the one who claims a suspected violation is not responsible for what the police have to do (and could at least say thanks). But in such a country the police are not satisfied with the seizure of one who does not pose a threat to society. Especially if it is illegal. And in Hungary it is still illegal. The only reason they did this was to scare them.
In the end, everything starts to look very, very bad for all participants.
- WCC ordered and commissioned a system flooded with kindergarten errors. Most of the average junior developers would have written better in a couple of weeks.
- T-Systems agreed to develop (most likely, in an impossible deadline) a solution that could not work normally, even if it was written normally. (I assume that they were not faced with the task of making it impossible to copy tickets). And they did develop it. And someone in the manual said “OK, make a release.”
- WCC T-Systems pays 80 thousand euros per month for system support. Which is very interesting, because 80 thousand is enough to properly implement the entire system from scratch. Well, two or three times 80 thousand, if you add a couple of managers, a little testing and a few kickbacks.
Of course, you can ask, why was it so urgent to release a release for the FINA Championship? Let's forget about the staff of VKK, because this organization is governed by politicians. But how could a normal manager allow this garbage to go into release? Didn't any of the engineers in the team report to the management that something was going wrong? I find it hard to believe.
And again, was this related to FINA? Why did these guys act so rudely? In Hungary, people do not like much if they behave this way with them. Especially if politicians are involved. And about this unwarranted pressure on the guy who declared vulnerability. By law, what he did is not even illegal. He reported on the "unauthorized impact" on the system, which is covered by the paragraph "committing fraud using information systems", but the conditions described there have not been met. What calls into question that the police behaved correctly (or that T-Systems did not report all the information they have).
Source: https://habr.com/ru/post/357394/
All Articles