Add Budapesti Közlekedési Központ (BKK) vs Unnamed 18yo Hacker. Fixes #50

Author: sickcodes

README.md

@@ -98,6 +98,7 @@ Historical archives were taken with explicit permission to continue wonderful wo
 | 2019-11-05 | [Boeing](https://www.boeing.com/) @Boeing | [Chris Kubecka](https://twitter.com/secevangelism) | Companies without disclosure policies | Chris discovered fundamental flaws in Boeing's network security and Boeing attempted to "cover up" the incident, [according to CSOOnline](https://www.csoonline.com/article/3451585/boeings-poor-information-security-posture-threatens-passenger-safety-national-security-researcher-s.html). Chris spoke at a public event about her research. Boeing was apparently infected with actual malware, ran testing environments exposed to the public internet, [and discovered XSS vulnerabilities](https://twitter.com/SecEvangelism/status/1154495096605175808). Boeing is alleged to have threatened her with legal action, to prevent her from publicly speaking about the research, and Boeing is said to have considered publicly tarnishing Chris' reputation. Chris is a well-known Security Researcher, and an Air Force veteran.
 | 2017-12-20 | [Keeper](https://keepersecurity.com/) | [Dan Goodin](https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/) | Keeper sues reporter over vulnerability story | On December 14 2017, [Tavis Ormandy reported on Google's Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1481) about a concern that Windows came pre-installed with a copy of Keeper password manager. Moreover, he published screenshots of a PoC, and showed that the pre-installed software, came with a vulnerability that could be used to potentially perform "drive-by" password theft. Subsequently, [Dan Goodin covered this story in Ars Technica](https://arstechnica.com/information-technology/2017/12/for-8-days-windows-offered-a-preloaded-password-manager-with-a-plugin-vulnerability/). Keeper obviously did not like the original version of Goodin's story and demanded a trial by jury, alleging that the article contained, "false statements," and was missing facts. Keeper argued on the court filing that Goodin failed to speak to Keeper, before writing about a bug tracker post about vulnerabilities in the Keeper password manager, that came pre-installed with Windows. Keeper even tried to argue that although it was pre-installed on the computer, the customer had to "use the software", to be vulnerable. As of 2017, software is designed to be used. [[Case number 1:17-cv-09117](https://www.documentcloud.org/documents/4333677-Keeper-Security-Inc-v-Goodin-et-al.html)] |
 | 2017-08-03 | [MIT](http://web.mit.edu/) [@MIT](https://github.com/mit) | [Bill Demirkapi](https://github.com/D4stiny) [@D4stiny](https://github.com/D4stiny) | Web Site Security | Bill Demirkapi discovered an exposed Wordpress debug log 4GB in size on a publicly accessible MIT service. An unnamed individual at MIT threatened Bill with 5 years jail, and determined that he had caused, "significant disruption and inconvenience for @MIT Libraries staff and patrons." MIT head of IT responded and said that scanning was "problematic." Moreover, the original threatener begins to make condescending remarks to Bill, "your understanding of the law is very limited." Bill was 16 at the time, and later went on to work for [@Zoom](https://github.com/zoom) in Offensive Security. The email exchange can be viewed at: [MIT threatened to sue after I reported a security vulnerability #27 pdf file](goodies/MIT_threatened_to_sue_after_I_reported_a_security_vulnerability_#27.pdf) |
+| 2019-07-17 | [Budapesti Közlekedési Központ (BKK)](https://bkk.hu) | Unknown 18 Year Old | Transit System Security | An unknown 18 year old was arrested in Hungary, for reporting a "shamefully stupid bug" in the new Budapest e-Ticket system. As a result of the arrest, thousands of 1-star reviews were left on the T-Systems (T-Mobile) and the BKK Facebook pages. The NFC/Smart Card system was apparently trivial to defeat for the unknown 18 year old security researcher. A number of flaws were reported, including passwords being emailed in plain text when asking for a password reminder, an IDOR allowing accessing the data of other users by manipulating the UR, the ability to clone tickets, the ability to change the price of tickets, and the admin password being "adminadmin". [Read an archive summary of the research on marai.me](https://web.archive.org/web/20200202080209/https://blog.marai.me/2017/07/24/18-year-old-arrested-bkk-tsystems-e-ticket/). After arresting the innocent security researcher, the story went viral, and resulted in T-Systems Hungary hosting a press conference 4 days later, and that the researcher had conducted an "illegal hacking attempt", yet reported the bug to the vendor. The BKK CEO told the press that they didn't receive the original report from the security researcher, because he sent it to the wrong email address, which this fact was completely debunked with a screenshot from the researcher. The original research appeared to have been released on Facebook, but a copy of the FB message can be [seen here](https://www.ibtimes.co.uk/dont-shoot-messenger-teenager-arrested-showing-security-flaw-hungarian-transport-system-1632472). A 500 person protest was subsequently held on Monday 24th July 2017 [Video](https://index.hu/video/2017/07/24/tuntetes_bkk_bkv_hacker_hekker/). "It is not clear whether any further legal action [was] taken against the young man." |
 | 2016-11-17 | [Chase Bank](https://www.chase.com/) | [Chad Scira](https://www.linkedin.com/in/chadscira/) | Web Site Security | Before Chase created a coordinated disclosure policy or bug bounty program, Scira found a vulnerability that allowed creating unlimited reward points. Scira documented and shared with Chase via Twitter. They organized a call with an SVP and engineer where he showed them everything that "went well". After, Chase terminated his credit card of five years as well as terminating a family member's card. Scira disclosed this on 2020-11-04. |
 | 2016-12-07 | [PwC](https://www.pwc.com/) | [ESNC GmbH](https://www.esnc.de/) | PwC ACE Software | ESNC attempted to coordinate disclosure of vulnerabilities in PwC software. During the process, PwC sent two Cease & Desist orders trying to silence research. ESNC ignored them and [disclosed the vulnerabilities](http://seclists.org/bugtraq/2016/Dec/6) along with a timeline. [[ZDNet](http://www.zdnet.com/article/pwc-sends-security-researchers-cease-and-desist-letter-instead-of-fixing-security-flaw/)] [[TechDirt](https://www.techdirt.com/articles/20161213/07484536261/researchers-find-vulnerability-that-enables-accounting-fraud-pwc-decides-best-response-is-legal-threat.shtml)] |
 | 2016-06-18 | [Nerium International](https://www.shopnerium.com/) | [Steven Jensen](http://s3jensen.blogspot.com/) | Vulnerability in customer portal | Steven Jensen found a simple enumeration vulnerability in the Nerium customer portal that allows any customer to see any other customer's details, including credit card, address, and more. Nerium ignored his attempts to report it and only contacted him after he posted enough details to show it was a real issue. That contact came in the form of a cease and desist letter. Jensen removed the post, and replaced it with a [timeline of the incident](http://s3jensen.blogspot.com/2016/06/nerium-vulnerability-disclosure.html). |