Serious mistakes make new Budapest electronic ticketing unsafe
The BKK (Budapest Transport Center) launched the online ticket and lease purchase interface this week. Index, however, reported on Friday that there are rough security flaws in the system. Among other things, with a “basic hacking” anyone could get a lease for as much money as he wants.
An ethical hacker sent an remark to the journalists of Index, which was confirmed by several other independent experts later. BKK responded to the news shortly afterwards:
“BKK sadly experienced that the successful installation and the proper use of the new online sales channel launched yesterday became continuously influenced by cyber-attacks,” they added. “The system started to operate using an automatic abusive monitoring feature in the launch phase, that detects such attempts and triggers immediate action.”
However, the story does not end here. More and more amateur security errors are warning us on the Internet. 24.hu also received the comments of an expert who highlighted several bad security settings. Among other things, the BKK ticket buyer system stores the users’ passwords as raw texts, it doesn’t hash them. So with the most common passwords (e.g. 123456),
you can easily break into someone else’s account.
Additionally, login information is not secure either. The password is transmitted by HTTP request parameters. So it also appears on the proxy server between the user and the server. Someone warned on Tumblr that the system operators have left the admin username – adminadmin password pair. Therefore a malicious user can easily access or misuse all the personal information of all users. Of course, they reported the error to BKK immediately.
But this is still not everything: the expert of 24.hu also wrote that, by modifying a profile through a registered account, the source code of the page can be edited, so any data of any user can be obtained, including the passwords. Finally, you can also obtain the passwords by entering a bad password. In case of a forgotten password you can also acquire the confirmation code sent by the system via e-mail from the returning server response.