The Budapest public transit authority has come up with a new technique to handle bug reports:
The tale started last week when an unnamed 18-year-old found that he was able to, when purchasing a ticket online, poke the BKK website in a particular way to modify the ticket’s price and buy it at that new price.
Rather than take advantage of virtually free travel in the country’s capital, however, he did the right thing and reported the security hole to the BKK, complete with a demo in which he was able to buy a $35 ticket for just 20 cents.
The response was not what he expected. Four detectives turned up at his door at 7:00am on Friday, photographed him and questioned him extensively over his actions. The BKK then held a press conference at which its CEO Kálmán Dabóczi proudly announced they had caught a hacker and had filed an official complaint against him. Dabóczi assured everyone that the website was now perfectly safe.
That version of events was immediately questioned by the teenager himself however, in a Facebook post.
“I am an 18-year-old, now middle school graduate,” he wrote in a message that has since been posted hundreds of times to the BKK’s Facebook page. “I trust that I can help solve a mistake.”
In the message, he says he informed the BKK “about two minutes” after he discovered the flaw. “I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it, and not to use it.”
He continued: “The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.”
He then asks others to help out: “I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report.”
And so they have shared the entry – in their thousands – putting the BKK on the back foot.