Horribly Coded Website "Hacked" Teen Goes to Jail

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,510
So you go to a website that is so horribly coded, that you can change the company's pricing when purchase its product. Then you change the price, buy the ticket as proof of the problems, and report it to the company. Then what happens, the company has you arrested. Wow. The company, BKK, which had less than a total of 500 reviews on Facebook, now has a total of 45K one-star reviews. Well deserved I would suggest. I am not even sure how this counts as "hacking." There is a site admin somewhere that should in jail instead.


The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price.

Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.

As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
 
I see crap like that and wonder how these people have jobs. Even as a QA, I know to test for something like that; any competent dev should never have let something that stupid get through.
But then I realize, government contract…
 
I doubt BKK only had 500 one star ratings before this. There was plenty of hate towards them already.

Also the irony is that the website wasn't developed in-house, but a contractor who happens to be T-Systems, you know part of that magenta brand and a multi national company with worldwide presence. And according to BKK the reporting the teen to the police part was also done by the local branch of T-Systems. (They however claimed that some cyber security laws actually require them to file a police report)
 
I doubt BKK only had 500 one star ratings before this. There was plenty of hate towards them already.

Also the irony is that the website wasn't developed in-house, but a contractor who happens to be T-Systems, you know part of that magenta brand and a multi national company with worldwide presence. And according to BKK the reporting the teen to the police part was also done by the local branch of T-Systems. (They however claimed that some cyber security laws actually require them to file a police report)

The crazy part of this whole thing is that nothing was hacked. There was no breach. This kid did changes to the site locally on his computer from the source that is downloaded when the page loads.

Talk about T-Systems really trying to pass the buck here. How they managed to code such an amateur website.
 
eh... so instead of just telling them of the problem, he exploited the problem and then showed them first hand... and he didn't ask for anything in return? a finders fee? an extortionist fee? anything?

While a real world example isn't always a valid comparison, this is kind of like going into someones house, and taking a laptop just to show them that there is a lapse in their "security" rather than just tell them "hey you know your door is wide open someone could take something" and then being shocked that the police get called on you.
 
Last edited:
The crazy part of this whole thing is that nothing was hacked. There was no breach. This kid did changes to the site locally on his computer from the source that is downloaded when the page loads.

Talk about T-Systems really trying to pass the buck here. How they managed to code such an amateur website.
Yes, there was no breach. So it's not a cyber crime, or hacking or any such nonsense. It's like going into the store changing price label on a $30 product to $1 and then buying it at that price. Which would still be an offence, but doesn't warrant 3 policemen banging on your door at dawn and taking you away in handcuffs. Actually I don't know if cuffs were involved or not but it sounds more dramatic that way :)
 
I still look at it as a crime.

What he did was the same as going to a store, altering the price tag on an item , paying the altered price and then leaving.
 
I still look at it as a crime.

What he did was the same as going to a store, altering the price tag on an item , paying the altered price and then leaving.

While I agree with you, no competent employee (or barcode scanner) would let the customer pay 20 cents for something that is obviously worth more than that.

The site's poor design allowed it to occur. It's like a physical store with self checkouts and no employees.
 
I still look at it as a crime.

What he did was the same as going to a store, altering the price tag on an item , paying the altered price and then leaving.

If some kid "scammed" my company out of ~$34, then sent in how he did it and warned us, I'd consider it the cheapest bug bounty ever. What a waste of money all around.
 
I doubt BKK only had 500 one star ratings before this. There was plenty of hate towards them already.

Also the irony is that the website wasn't developed in-house, but a contractor who happens to be T-Systems, you know part of that magenta brand and a multi national company with worldwide presence. And according to BKK the reporting the teen to the police part was also done by the local branch of T-Systems. (They however claimed that some cyber security laws actually require them to file a police report)
Not 500 1 star review.....500 TOTAL reviews.....now has 45k 1 star.....huge difference....They weren't well known....now they are notorious.
 
I still look at it as a crime.

What he did was the same as going to a store, altering the price tag on an item , paying the altered price and then leaving.
More accurate analogy would be; going to a store, altering the price tag on and item, paying the altered price. Then going to the manager and showing him how incompetent his employees are.
 
The irony is, this will cost them way more then paying off that kid.
How so? People are going to stop taking the bus/train as a result of this? Doubtful.

If anything people already knew about this, and now they're pissed that they might fix the hole and this kid fucked it up for all of them, bottom line is they might actually make more money
 
More accurate analogy would be; going to a store, altering the price tag on and item, paying the altered price. Then going to the manager and showing him how incompetent his employees are.

Even more accurate would be: Call the store, tell them you saw the price lower, employee believes it, you pay lower price over the phone, and then you notify manager how incompetent employees are.

Since, according to the article, the kid in the article doesn't live in Budapest, never used BKK, and had no intention of even using the ticket.
 
Hacking a website and then changing the code, purchasing the item with the new price - that's criminal.

White-hat hacking and doing penetration testing is just the same way. Unless you have the expressed, written consent (and even then...) it's still considered hacking and attempting to break into someone else's property. It's one of the first things that I was taught during my security / network stint as a highschool student. "You now have the tools to wreak havoc on our network. Don't do it. Ever."

Most penetration testers that I know make sure to document everything they do just to cover their asses. You'd like to avoid costing your client a lot of money, which in turn goes real bad real quick for you. In case something happens while you're doing the testing, you want to provide proof that you didn't do it.


But hey. These days ignorance can be used a meaningful defense so let's go with that.
 
Its crazy how strict the laws are today for so called hacking. I would of been in jail today for the stuff I did in the 80s, back then worst case is I would of got detention in school.
 
Hacking a website and then changing the code, purchasing the item with the new price - that's criminal.

White-hat hacking and doing penetration testing is just the same way. Unless you have the expressed, written consent (and even then...) it's still considered hacking and attempting to break into someone else's property. It's one of the first things that I was taught during my security / network stint as a highschool student. "You now have the tools to wreak havoc on our network. Don't do it. Ever."

Most penetration testers that I know make sure to document everything they do just to cover their asses. You'd like to avoid costing your client a lot of money, which in turn goes real bad real quick for you. In case something happens while you're doing the testing, you want to provide proof that you didn't do it.


But hey. These days ignorance can be used a meaningful defense so let's go with that.

There was nothing to penetrate here.

He locally changed the source from the page in his browser and completed the sale. How was he supposed to know there was no server side validation and the sale would actually go through without actually attempting the purchase?

He did nothing wrong and pointed out the flaw. He breached no system. He hacked nothing but the source of the page as it gets to any visitor of the site meaning he only hacked his properly, normally, obtained version of the page.

It seems like they only got pissed he changed the price so low. I'd bet if he changed the price higher and bought it they'd have no problem with it.
 
Last edited:
eh... so instead of just telling them of the problem, he exploited the problem and then showed them first hand... and he didn't ask for anything in return? a finders fee? an extortionist fee? anything?

While a real world example isn't always a valid comparison, this is kind of like going into someones house, and taking a laptop just to show them that there is a lapse in their "security" rather than just tell them "hey you know your door is wide open someone could take something" and then being shocked that the police get called on you.

If he doesn't purchase the ticket then he can't be sure his "hack" means anything. I agree a more prudent solution would be to alert the admin that this was possible and that someone might be able to use it to buy a lower priced item, but still, it's different than pointing out an unlocked door, because here you are not sure how much the unlocked door matters until you "enter."

Anyways analogizing online stuff to the real world is always problematic. My understanding is in the world of cybersecurity, this is commonly how exploits are found, if someone is doing this just for fun and not for actually nefarious purposes. The "hacker" actually utilizes the exploit to prove to the security team that it can be done, and how.
 
Horrible company, I can only imagine the mindset(s) that resulted in this outcome.
Ignorance+hubris is a disgusting combination.
 
I see crap like that and wonder how these people have jobs. Even as a QA, I know to test for something like that; any competent dev should never have let something that stupid get through.
But then I realize, government contract…

To me, this looks like a classic case of having IT performing a Software Engineering function.

*Is a Software Engineer*
 
I see crap like that and wonder how these people have jobs. Even as a QA, I know to test for something like that; any competent dev should never have let something that stupid get through.
But then I realize, government contract…

Cheapest bidder. I do freelance web development on the side, the amount that many clients want to pay is so low they end up finding someone with minimal skills willing to work for $5/hr. They get what they pay for. Don't be cheap and don't have issues like this.

Heck, many SEO companies charge outrageous monthly fees for simply regurgitating blog postings and knowledge of a few WordPress plugins. I've bumped into a few SEO specialists that don't even know HTML. Like, seriously?
 
Last edited:
I still look at it as a crime.

What he did was the same as going to a store, altering the price tag on an item , paying the altered price and then leaving.

Except in your scenario, he didn't keep the item, he made a bee-line straight to the manager and told him exactly what the problem was..

FTA:

The teenager — who didn't want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems.
 
If he doesn't purchase the ticket then he can't be sure his "hack" means anything. I agree a more prudent solution would be to alert the admin that this was possible and that someone might be able to use it to buy a lower priced item, but still, it's different than pointing out an unlocked door, because here you are not sure how much the unlocked door matters until you "enter."

Anyways analogizing online stuff to the real world is always problematic. My understanding is in the world of cybersecurity, this is commonly how exploits are found, if someone is doing this just for fun and not for actually nefarious purposes. The "hacker" actually utilizes the exploit to prove to the security team that it can be done, and how.
Possibly, but he could have simply reported the issue of "It looks like I can simply change the price on the client side"

But whatever, insert Polish joke about being dumb here.
 
While I agree with you, no competent employee (or barcode scanner) would let the customer pay 20 cents for something that is obviously worth more than that.

The site's poor design allowed it to occur. It's like a physical store with self checkouts and no employees.
Poor website design still does not equal permission to exploit. Just like having poorly installed locks on your door does not equal an invitation to enter.
 
Just a bit of local info for the people comparing the kid to a thief:
The pass he bought for ~$0.20 is a monthly pass for the rides in Budapest (BKK operates public transport in Budapest). He lives about 180 miles away from Budapest. The chances of him using it are/were extremely low, not to mention that he also stated the he had no intention to do so (he was just testing the website) and the fact the this is only a digital pass, so invalidation or checking usage is a piece of cake.

BTW, no one has gone to jail because of this. The kid was taken in, booked and the house where he lives was searched. It is unclear if he is being prosecuted further, although I'm not sure if this is a case by the government or the plaintiff (T-Systems).

This shouldn't happen like this, but the law which requires reporting these occurences was not created with this scenario in mind. I don't think there are laws with ethical hacking in mind in any part of the world as of yet.
Hell, I can't even remember the last time any IT related law was passed which made sense from all aspects anywhere in the world.
 
He didn't go into anyones store and change the price. That would be true if he hacked into some server somewhere and change a text file containing the price and buying the product.

No this site was coded SO poorly that their site basically send you machine the price and product list. So its now on your machine which belongs the fuck to you... as this kids machine belonged to him. He then changed a plain text price that was on his own machine. He then sent that back to their server that said... 30 cents sounds good to us deal.

So essentially they setup a sales site that was willing to negotiate... as they had no fixed price setup on their own server.

The kid never changed one bit of data on their server. All he did was suggest a new price which they accepted. Nothing illegal at all... no breaking codes, no changing of data on anothers machine.

If this site was so badly coded that the kid would have to change a plain text file on their server... it would be a really really badly coded site. (so bad said programmer should be banned from ever coding anything ever again).

However this site was so baddly coded that they litterly sent THEIR price file to the kids local computer and allowed him to send it back after making changes on his own computer.

It sounds like people need to expand their online scorn campaign to the company that actually coded such a crap site. I don't know much about BBK but I could almost excuse them for having no idea how bad their site is, mot companies that hire web people have as much PC experience as anyone else not in the field. I'm sure as long as the site looked pro enough they would have no bloody idea just how 1999 high school project it was. The company actually selling that crap though... would be at the very least libel in a civil way, and perhaps depending on the jurisdiction criminally. I mean I have seen some terribly coded pro sites using Amateur Hour wordpress store plugins and the like... but it sounds like these guys just handcoded something we didn't even see at the dawn of html.... its not much different then just asking people to download a spreed sheet with prices and asking them to mail it back with their offer. lol
 
It was like they just handed the site visitor the price gun and said find the item you want and price it out for whatever you want to.
 
Just checked a recent e-commerce website I built. When I changed the price in DevTools, it still added the item with the correct price. No matter if it was on the product page or submitting payment.
We are a small office and we got it right. I need to go after some of these bigger contracts since we can offer better code than T-Systems.
 
He truly did nothing. Not a dang thing. It wasn't a hack of any kind. The tool was open to use to the end user. Clearly a MISTAKE. A GLITCH. Whatever. Not any kind of hack by any definition of the word. He just said "hey, you can change prices with a single keypress... see, I just did a ticket purchase for $.20. You might want to fix that ASAP."

The only response should be "HOLY @#$@#!!! THANKS FOR REPORTING THAT! Keep that $.20 ticket."

Talk about spirit of the law issues.
 
Not 500 1 star review.....500 TOTAL reviews.....now has 45k 1 star.....huge difference....They weren't well known....now they are notorious.
I'm telling you it's bullshit, I'm from hungary. Everyone hated bkk already.
 
What I find interesting (and kinda scary) in all of this is that using the developer console in your browser can be considered 'hacking'.

What I find even more interesting (and scarier still), is that there are organizations in the world who think coding web pages in this way is "OK". Sure it's fun to change what you pay for bus fare now, but what other sites are out there that can be abused for things far more sinister?
 
What I find interesting (and kinda scary) in all of this is that using the developer console in your browser can be considered 'hacking'.

What I find even more interesting (and scarier still), is that there are organizations in the world who think coding web pages in this way is "OK". Sure it's fun to change what you pay for bus fare now, but what other sites are out there that can be abused for things far more sinister?

Almost none.... seriously even in a high school programming class any kid with a C or better grade would know better then code a payment site this way.
 
I left a one star review on their facebook page. They deserve the reputation they earned....
 
Is it really "coding" though? The developer tool doesn't give you access to the actual code that generated the website. It might give you access to javascript that is built-in to the webpage, but not the source code. The browser has no idea what is happening behind the HTML. It's just sending different requests back to the server. But I am open to being shown my misunderstanding.
 
Is it really "coding" though? The developer tool doesn't give you access to the actual code that generated the website. It might give you access to javascript that is built-in to the webpage, but not the source code. The browser has no idea what is happening behind the HTML. It's just sending different requests back to the server. But I am open to being shown my misunderstanding.

Your assuming that this site had a bunch of server side code running... that doesn't appear to be the case.

What is even funnier is they where paying 1 million a year to maintain such garbage code. From the code snippets posted on twitter it honestly looks like a high school kids Java script project. It looks like you could even redirect password reset emails and the like. Without a doubt its one of the least secure major websites you will ever see.
 
Back
Top