Ethical hacking protest in Budapest
About 500 people protested outside the Budapest Transit Authority on Monday 24 July over its decision to arrest a teenager for pointing out a mistake in its new electronic ticketing system Index.hu

Ethical hacking has become a key national issue in Hungary, after an embarrassing incident where a teenager who reported a serious security flaw in Budapest's public transport ticketing system was arrested. The police report was made by the Budapest Transit Authority and its partner T-Systems Hungary, who have since been forced to publicly apologise.

The 18-year-old, who has not been named in Hungarian media, was arrested in the middle of the night in early July after he found a security flaw in the newly-launched online ticket booking system on the official website of Budapest's public transport authority Budapesti Közlekedési Központ (BKK).

He discovered that if a user were to press F12 while on the website, the user could access the browser's developer tools mode, modify the webpage's source code and change the price of tickets to make them cheaper (first reported by Bleeping Computer).

Because the transport authority had not put in place any checks or balances to prevent users from doing this, the website would unwittingly accept the change and immediately issue a new, cheaper transport ticket.

To prove the flaw was possible, the young man tested it out and was able to buy a ticket that usually costs 9459 Hungarian Forints ($36.30, £27.75) for just 50 Hungarian forints ($0.13, £0.15).

What he did is known as "white-hat hacking" — a practice where software developers test operating systems and software repeatedly until they discover a security vulnerability that hasn't yet been patched. Tech giants now pay huge rewards to ethical hackers who can discover critical security flaws so that they can be fixed.

Arrested for pointing out a mistake

The young man reported the security problem directly to BKK and T-Systems, the company that developed the online ticketing system, but instead of thanking him, T-Systems called the police.

The young man was interrogated and his photograph and fingerprints were taken before he was permitted to go home, according to Hungarian news portal Index.

BKK then followed this up by holding a press conference on 18 July, according to popular Hungarian news site 24. BKK's chief executive Kálmán Dabóczi and Budapest's deputy mayor of urban development Balázs Szeneczey claimed that cyberattacks had been carried out against the BKK website and T-Systems for two days, but that the hacker had now been arrested.

Dabóczi emplasised the fact that its electronic ticketing system was still secure, and it was only the website that had experienced problems. BKK also said that 150 people had tried to illegally obtain tickets for free by trying to pretend to be BKK site administrators, and that they had all been arrested.

BKK's chief executive tried to justify the young man's arrest by saying that his actions were still a crime – he said that if you were to turn the door knobs of the front doors of apartments, and you managed to find one that was unlocked and get in, it would still be a crime, and should not be done.

Public backlash

After the press conference, the young man wrote a Facebook post about his experience, asking other users to share it in the hopes that the police report would be withdrawn.

"I am an 18-year-old, now middle school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.

I discovered last Friday that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).

The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.

I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.

I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report."

The young man's comments and coverage of the issue prompted over 47,000 people in Hungary and abroad to post one-star reviews on the BKK's Facebook page. The posts feature criticism of the BKK, as well as a re-paste of the teenager's original message explaining his actions.

Numerous people also began testing the BKK website and posting the security vulnerabilities they found on Twitter.

Hungary needs an ethical hacking culture

Budapest Transit Authority
The Budapest Transit Authority and T-Systems Hungary have incurred the wrath of the Hungarian public over arresting a young ethical hacker Budapesti Közlekedési Központ

Following the public backlash, on Saturday 22 July BKK's chief executive apologised for the problems with the ticketing system. However, he did not mention anything else. Instead, T-Systems Hungary's chief executive Zoltán Kaszás apologised in a public post on Facebook, and he extended an offer to the young man to collaborate with the company in future.

"Personally, I am also touched by the young man's case, but I would like to point out that, under the circumstances, there was no other option than to report an unknown culprit (the young man was not indicated to us)," wrote Kaszás (translated from Hungarian).

"Following the report, and further to all the parties concerned, the information and data relating to all parties concerned shall be made available to the authorities. As head of the management of T-systems Hungary, I would like to offer the opportunity for future cooperation if he is open to it."

Kaszás said that Hungary currently has no practices when it comes to ethical hacking, and that T-Systems wanted to try to help create a legal, regulated framework for white hat hackers.

Despite the apology, Hungarian organisation Occupy Oktogon decided to hold a demonstration in front of the BKK building at 7pm on Monday 24 July, which was attended by at least 500 people.

It is not clear whether any further legal action has been taken against the young man, but the National Bureau of Investigation, which is tasked with fighting major crimes, has until 15 September to complete its investigation.

An IT training firm in Hungary has also offered the young man a fully-paid scholarship to complete a four-month-long software engineering or hardware programming training course at the Green Fox Academy in Budapest, worth 1.3 million Hungarian Forints.