A teenager discovered that the website of Budapesti Közlekedési Központ — the public transit authority in Budapest — would allow you to edit the price you paid for your tickets, so that purchasers could give themselves massive discounts on their travel, and when he told the authority about it, they had him arrested and issued a press-release boasting about it.
Sadly, this is a common occurrence around the world. Companies who are embarrassed by researchers who reveal product defects that endanger the company, their customers, and the public routinely threaten and coerce researchers into silence. In fact, the last time the US Copyright Office held hearings about this, in 2015, they heard that copyright law had stifled security researchers who'd discovered grave flaws in infrastructure, medical implants, automobiles and industrial vehicles, phones, computers, and more.
This is especially important right now, because the World Wide Web Consortium has overruled dozens of its members who voted against the publication of a DRM standard for web video, unless that publication came with an obligation not to invoke DRM laws to silence security researchers who discovered flaws in browsers.
On Friday, EFF filed an official appeal to the W3C's decision to overrule the objectors, asking again that the W3C not create a standard that allows its members to silence security researchers. It's the first time in the organization's history that an appeal has been attempted, and this is the most controversial project in W3C history.
What isn't controversial is the idea that companies shouldn't get to punish people who reveal their mistakes. When the Budapest transit authority announced that it had sued the whistleblower who found the flaw in its website, 45,000 gave the transit authority a one-star review on Facebook. This shows that web users want critics to be shielded from vengeful, embarrassed companies.
Talking to Hungarian press, the young hacker said he only had the best intentions when he reported the issue to BKK and said he hopes the organization withdraws its report.
In the meantime, tens of thousands of Hungarians have shown their solidarity and support for the teenager by going on Facebook and leaving one-star reviews on BKK's page.
While initially, reviews came from Hungarians, international users started leaving their own thoughts on BKK's page after the incident become a trending topic on Reddit.
"You should partner with better companies managing the security and reliability of your online purchase systems! Shame on you BKK!," said one user.
45,000 Facebook Users Leave One-Star Ratings After Hacker's Unjust Arrest [Catalin Cimpanu/Bleeping Computer]