NEW DELHI: In a recent exposé, an independent security researcher named Renganathan P recently alerted the Indian Computer Emergency Response Team (CERT-In) about a major vulnerability on the IRCTC platform that allowed easy access to private information of lakhs of passengers. Not just that, exploiting the IDOR (Insecure Direct Object Reference) vulnerability on IRCTC could have even allowed the attacker to cancel booked train tickets of random passengers.
The IDOR vulnerability on IRCTC also allowed anyone to change the boarding point (of the train), order food, book a hotel, tourist package, and even book a bus, as per Renganathan.
Renganathan, who claims to have helped LinkedIn, United Nations, BYJU’s, Nike, Lenovo, Upstox in fixing security vulnerabilities in their web applications, reported the issue to CERT-In on August 30, 2021, by emailing on “[email protected]”. The IDOR vulnerability was fixed on September 4 and IRCTC acknowledged the same on September 11.
It is not possible to determine for how long this vulnerability was present on the IRCTC platform. Also, there’s little official information on whether or not this vulnerability was exploited or not. We don’t know right now whether or not any user was directly affected due to the said tech issue.
Considering that IRCTC being one of the largest ticket booking platforms in India with the majority of citizens relying on it to travel on trains, the implications could have been massive.
Explaining how the vulnerability was found, Renganathan said, “While I was booking a ticket as a normal human I suddenly got an idea to test for vulnerabilities.” In his mail to CERT-In (a copy of which is present with The Times of India–GadgetsNow), he wrote, “Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another’s tickets, you will get all the sensitive details. You can also cancel someone’s ticket or do anything malicious.”
“I tried for IDOR and decreased the number of the transaction ID and forwarded the packet. And Yeah! I got a random user’s transaction and ticket details like Train Number, Departure time, Duration of the journey, PNR number, Status of the ticket, Boarding station, Passenger’s information like their names, seat details, gender & age,” he added.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
