Tuesday, July 25, 2017

Security researcher arrested after reporting security vulnerability

Of course, it was a government agency that did this, and the public reaction has been what you'd expect:
Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug.
The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ (BKK), Budapest's public transportation authority.
The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price.
Let's looks at all the layers of fail compressed into this public transit agency:

1. Their coders were stupid enough to code in a 15 year old security vulnerability.

2. Their security team didn't thank him for reporting the vulnerability, but rather went to the local po-po.

3. The PR team didn't send everybody involved to their rooms without desert.  Think I'm being too hard on them?  Consider:
BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter.
"Secure".  You keep using that word.

It's likely that hackers world wide are even now scouring the BKK's computer systems for vulnerabilities.  There's quite a good chance that it's a target rich environment.  This is quite likely to end in tears for BKK.


Ken said...

On the plus side, Adobe is finally killing Flash...in another three and a half years.

SiGraybeard said...

What do you get when you combine government budgets and mindsets with e-commerce?

This. You get this.

It's the same reason why people entered personal data into the Obamacare website and later saw it on the latest episode of Keeping Up With the Kardashians. OK, that's a slight exaggeration. Software that the private sector does every day, many times better, and keeps improving will be something the government pushes out as barely functional, not secure, and never updates.