More than 45,000 users have voiced their disapproval on social media for Hungary’s public transport system after police arrested an 18-year-old man for reporting a flaw in its new e-ticket system.
Since mid-July, users have come out in droves to give Budapest’s Transit Authority, known as the Budapesti Közlekedési Központ (BKK), as well as T-Systems Hungary, a poor rating of just one star on their respective Facebook pages.
The cause of all these unsatisfied ratings stems back to the BKK’s roll-out of a new mobile-based e-ticket system around July 14.
This roll-out raised two questions in the mind of Laszlo Marai, a “CTO-for-hire” based in Budapest. First, why had BKK debuted the system without much fanfare beforehand? And second, how did the BKK secure the system?
Marai offers an answer to the BKK’s timing in releasing the e-ticket system:
“The answer to the first question, well, at least the partial answer, is that they wanted it to be available for the visitors of the FINA world championships, that is being held in Budapest right now. Even more cleverly, they timed the public launch to be on the day of the official opening event (14th July). This already stinks a bit. First of all, of course, you don’t just launch such a system in a city with a pretty large public transport system and 1.7 million people without serious testing. Second you definitely don’t launch it during an event that attracts a lot of extra tourists. Third, you probably want it to be available at least a few days before the opening event, because well, a lot of visitors will arrive early.”
The answer to the second question came when the system went live.
Let’s just say it wasn’t a smooth roll-out, as Marai describes:
- the system stored the passwords in clear text and it emailed it to you if you asked for a password reminder. Now, this means that for most people, anyone who had access to the system, got probably access to their email account as well. (Because, let’s be hones, most people will just use the same password everywhere.)
- after logging in, people were also able to get the data of other users (probably through manipulating the url, the news report was not 100% clear here). I.e. the app didn’t have proper permission handling. Some people claimed that they were able to access the profiles of other users this way. Now, to register, you have to provide your name, your address and an ID number (national id, driving license or passport). These have to be real, because you may have to prove ticket controllers that the pass belongs to you.
- if you just typed in the url (shop.bkk.hu), the site just wouldn’t appear. At first I thought they’ve taken it offline, but it turns out that they just didn’t set up the http -> https redirection. And it was left like that for days. If you just heard about it, you couldn’t use it. You had to click a link (normal users won’t figure out to put an https in front of the host name, even I didn’t think of it).
- the ticket wouldn’t show up properly in Safari on iPhones.
- someone found out that the admin password was adminadmin and managed to log in using that.
- of course the tickets were 100% copyable, a few guys made a video of passing ticket control 10 out of 10 times without being caught. The ticket controllers used a QR reader only twice (majority of them doesn’t have it, nor knew much about the app at all) and even then they wouldn’t be caught. (Unsurprisingly, I would add.)
- but the most ridiculous flaw, and as far as I know the first security issue to have been discovered, was that you could just set the price for the pass you were about to buy.
Those issues, however, didn’t compare to what Marai considered to be the worst vulnerability of all: the ability to change the price of a pass you were about to buy.
As the tech advisor explains:
“This last one was the one found by the 18 year old gentleman I started my story with. According to him, he doesn’t even know how to program yet (he’ll start the university this autumn). He just used the developer tools in the browser, that everybody has access to, saw that the price was being sent back to the server when he was about to make a purchase, and tried if he could change it. A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF. When he got the confirmation that it worked and was able to see his pass in the app, he immediately emailed the BKK (the Transport Authority) that there was a serious problem. He got an email that his pass was invalidated, but otherwise they didn’t get back to him.”
A week later, news broke about how the police had taken the teen into custody in the early morning hours. Officers released him a few hours later, however, likely because they took him in for “unauthorized influence” without sufficient evidence to back up that crime.
In the meantime, T-Systems has come out saying it’s documented some hacking attempts against its system and that it welcomes bug reports.
That’s a good step in the right direction. But it’s certainly a bit hypocritical given what happened to the teenager. Companies like T-Systems and BKK need to work with security researchers to better secure their systems. That includes differentiating a legitimate hacking attempt from a working proof-of-concept.
Even more than that, however, organizations need to pay more attention to security so that they don’t lose face amidst a flurry of security flaws. Pushing for the availability of a new system might make sense from a business point-of-view… but not if that system isn’t ready.
Marai puts it even more bluntly:
“You might ask the question: why was it so-so f*cking urgent to do a release for the FINA championship? Let’s forget about the BKK people, as that organization is controlled by the politics top down. But how come any sane professional manager would let this pile of cr*p into release? Didn’t any of the engineers on the team tell their managers that something isn’t right? I find it hard to believe.”
Let’s hope other companies read this story and subsequently think twice about releasing a new product or system without adequately testing it for security bugs first.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.