The city's public transit, Budapesti Közlekedési Központ (BKK), system was already plagued with vulnerabilities, non-existent security controls such as storing passwords in clear text, improper permission handling, non https redirection, use of the admin password of “adminadmin”, and the ability for users to set their own ticket prices, according to Independent researcher Laszlo Marai in a 24 July blog post.
Budapest rushed the system to market on 14 July so that it would be available for tourists attending the FINA world swimming championships.
The teen, who reportedly didn't even know how to program, spotted the “set your own price” flaw using a simple developer tool in the browser and noticed the price being sent back to the server when he was about to make a purchase and decided to alter the price.
When he noticed the transaction went through he immediately emailed the transit authority to inform them of the glitch. He later got an email that his pass had been invalidated. A week after the findings, news broke that the teen had been taken into custody, but had been subsequently released after only a few hours.
The BKK reportedly told the press it never received the initial report form the man who spotted the error contrary to screenshots taken of the exchange.