Best News Network

India’s largest e-ticketing platform IRCTC fixes bug after school student raises alarm

Chennai, September 21

The Indian Railway Catering and Tourism Corporation Ltd. (IRCTC) fixed a bug on its e-ticketing platform after a plus two student from the city raised an alarm over the presence of Insecure direct object references (IDOR) — a type of access control vulnerability in the booking site.

The IT wing of the IRCTC which took note of the complaint, immediately resolved the vulnerability issue that has been reported, a senior official said on Tuesday.

“Our e-ticketing system is well protected (now). The issue was reported on August 30 and it was fixed on September 2,” he added.

The IDOR, a type of access control vulnerability, arises when an application uses user-supplied input to access objects directly.

“I accidently discovered a critical IDOR that leaks the transaction details of millions of travellers, when I was trying to book tickets on August 30. It was the most common bug. Immediately, I reported about it to the Indian Computer Emergency Response Team (CERT-In),” P Renganathan, a plus two student of a private school in Tambaram here, said.

“I’ve discovered a critical IDOR that leaks the transaction details of millions of travelers. Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another’s tickets, you will get all the sensitive details. You can also cancel someone’s ticket or do anything malicious,” he said in an email complaint to CERT-In, under the Union Ministry of Electronics and Information Technology.

As a mitigation, Renganathan who identifies himself as ethical hacker and cyber security researcher, said the booked user and ticket should be validated so that no one else can access it except the booked user.

On September 11, 2021, he received a mail thanking him for reporting the incident to CERT-In and also a confirmation that the “reported vulnerability has been resolved” by the authorities concerned.

Renganathan, currently pursuing commerce group, has been acknowledged by LinkedIn, United Nations, BYJU’s, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.

Schools across Tamil Nadu re-opened only for classes ninth to twelfth on September 1. “I have opted for online classes owing to the pandemic,” he said. PTI

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.