BKK: A lesson in creating black hat hackers
A recent incident highlights how the security industry could well be pushing legitimate researchers into being black hat hackers.
The security industry is always telling us that there is a shortage of people being recruited into the sector. What’s more, it admits it is fighting a battle with the ‘dark side’ when many talented researchers end up joining criminal endeavours that can offer the lure of making more money, and making it fast. While money, and excitement, are usually considered the main drivers creating black hat hackers, I’d like to put forward another: the way that kids trying to help are often still treated by the companies whose security shortcomings they uncover.
Take the case of an 18 year old, who wishes to remain anonymous, and his discovery and responsible disclosure of a pretty simple yet severe vulnerability. The guy was looking at the website of the Budapest transport authority, Budapesti Közlekedési Központ (BKK), which allows you to buy tickets for travel online.
What the budding Hungarian security researcher found was he could access the site and just press F12 fire up the developer tools mode in his browser. Standard stuff that, after all who hasn’t loaded up some corporate source code and had a fiddle around with and then laughed at the results that appear locally in the browser? Thing was, there was absolutely no client or server-side validation in place here. Which meant that when he changed the source code, those changes stuck: the system accepted whatever he did as being valid.
So what did he do? Well to demonstrate both the ridiculous simplicity of the vulnerability and the severe consequences to the company, he changed a travel ticket price. Well, he slashed it from 9459 Hungarian Forints down to just 50. His ticket was duly issued, but as he lives nowhere near Budapest and had not intention to travel, it was never used.
What happened next is the shocking bit; the bit that reveals how not to respond to a security researcher responsibly disclosing a vulnerability. BKK reported him to the police as executing a cyber attack against them, and detectives were duly dispatched to question him. The BKK CEO, Kálmán Dabóczi, then held a press conference and claimed his company had caught a hacker. Dabóczi went on to assure all customers that the website was ‘perfectly safe’ to use.
Here’s the thing, not only does the researcher himself say he immediately reported his find to BKK but also that the company did not respond to him at all during the next four days.
Four things have happened as a direct result:
1. The BKK Facebook page has been inundated with 1 star reviews, mostly cut and pasting a statement from the security researcher. How many is inundated in this case? Erm, 45,000. Looks like the CEO has done as good a job of securing the BKK reputation as he did the website.
2. Talking of which, after stating that the website was perfectly safe, hackers have been taking to social media to post further vulnerabilities they have discovered.
3. The company which was maintaining the BKK site, T-Systems, has sponsored an ethical hacker programme.
And most importantly of all:
4. Any youngster reading this story and thinking of responsibly disclosing the security vulnerabilities they find may now think twice. After all, why do the right thing and try to help a company when that company may well just have you arrested? Why not just exploit the vulnerability, or sell it to someone else who will?
This story just reveals how easy it is to turn potentially great security researchers into black hat hackers. Not that this young man is going to go down that road of course, but the point remains.
Maybe the answer is that every would be researcher needs to join one of the many bounty hunting programs. Or maybe organisations just need to pull their fingers out of their collective arses and realise that responsible disclosure is a two way street: the recipient has to react responsibly as well as the researcher.