You’d think that an ethical hacker who discovers a vulnerability before the bad guys do and reports it to the authorities would not end up behind bars. Sure enough, countless companies run bounty programs to encourage ethical hackers to test their defenses and report any and all vulnerabilities so that they can be patched before any harm is done. That’s not what Budapest’s public transportation authority did when a teenage ethical hacker discovered a major security flaw in its website. He ended up behind bars.
The 18-year-old Hungarian hacker was arrested after he discovered an exploit in the public transportation authority’s website and reported it to the authority.
The website is used for selling tickets as well and it was on that page that the vulnerability was discovered. He found out that the ticket prices could be altered by just changing them in the page’s source code using the developer tools of the web browser.
This enabled him to purchase a $35 ticket for just $0.20. The ticket purchase was processed because the transportation authority’s website had no validation process in place on both the client and server side.
He contacted the transportation authority after discovering this but instead of receiving a bounty or even a word of gratitude, he was reported to the police and a complaint was filed against him for “hacking” the system.
The internet has rallied against the incarceration of a white hat hacker, though, and there are talks of protests being organized. Even though the transportation authority said that it has fixed the flaw, plenty of other white hat hackers have taken to Twitter to point out several other flaws in the code. Some have gone so far as to refer to its website as a “train wreck.”