Over 45,000 users have left one-star reviews on a company’s Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug.
The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ (BKK), Budapest’s public transportation authority.
Teen hacks company using browser’s DevTools
The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price.
Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.
As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
BKK calls police and has the teenager arrested
The teenager — who didn’t want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems.
Police arrested the teenager in the middle of the night shortly after, even if the young man didn’t live in Budapest, nor did he ever use the fraudulently obtained ticket.
BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems “secure.” Since then, other security flaws in BKK’s system have surfaced on Twitter.