Teenager Discovers IRCTC Bug That Exposed Millions Of User Data; Helps IRCTC To Fix It

The incident happened on August 30 when he visited the site to book a ticket.

A school student from Chennai identified a bug in Indian Railway Catering and Tourism Corporation (IRCTC)’s online ticketing platform.

He then informed the railways of the security lapse and also helped correct it.

In Short

Commerce student P Renganathan, 17, accidentally discovered the bug which could have revealed private information of millions of passengers.

The incident happened on August 30 when he visited the site to book a ticket.

He then found that he could access the details of other passengers.

Technical Details

The vulnerability in question is called Insecure Object Direct References (IODR) which is an access control vulnerability.

It arises when an application uses user-supplied input to access objects directly.

In his email, Renganathan explained how to investigate the problem.

He wrote, “Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another’s tickets, you will get all the sensitive details. You can also cancel someone’s ticket or do anything malicious.” 

This allowed him access to journey details of other passengers including name, gender, age, PNR number, train details, departure station, and date of journey.

Crisis Averted

He reported the leak to the Indian Computer Emergency Response Team (CERT-In) under the Union Ministry of Electronics and Information Technology.

By doing so, he helped IRCTC avert a massive cybersecurity breach.

He suggested that the booked user and ticket should be validated so that only the booked user can access it.

What Could Have Happened?

Since the back-end code is the same, a hacker could have used the leaked info to make transactions in another person’s name.

They could also have changed the boarding station, and even cancelled the ticket without the knowledge of the passenger.

The IT wing of the IRCTC managed to fix the situation in four days by September 2.

They then sent Renganathan an email expressing gratitude.

Recognised By Top Brands

He has also been praised by Linkedin, the United Nations, BYJU’s, Nike, Lenovo, Upstox for alerting them of similar vulnerabilities in their websites.

Renganathan, who identifies as an ethical hacker and cyber security researcher, says that he wants to pursue a career in Computer Science.

He also wishes to continue independent research on security of web applications.

IRCTC Launches India’s 1st Luxury Cruise From This Date: Route, Fares, USPs & More

Comments are closed, but trackbacks and pingbacks are open.

who's online