NEW DELHI: In a recent exposé, an independent security researcher named
recently alerted the
Indian Computer Emergency Response Team
) about a major vulnerability on the
platform that allowed easy access to private information of lakhs of passengers. Not just that, exploiting the IDOR (
Insecure Direct Object Reference
) vulnerability on IRCTC could have even allowed the attacker to cancel booked train tickets of random passengers.
The IDOR vulnerability on IRCTC also allowed anyone to change the boarding point (of the train), order food, book a hotel, tourist package, and even book a bus, as per Renganathan.
Renganathan, who claims to have helped LinkedIn, United Nations, BYJU's, Nike, Lenovo, Upstox in fixing security vulnerabilities in their web applications, reported the issue to CERT-In on August 30, 2021, by emailing on “firstname.lastname@example.org”. The IDOR vulnerability was fixed on September 4 and IRCTC acknowledged the same on September 11.
It is not possible to determine for how long this vulnerability was present on the IRCTC platform. Also, there’s little official information on whether or not this vulnerability was exploited or not. We don’t know right now whether or not any user was directly affected due to the said tech issue.
Considering that IRCTC being one of the largest ticket booking platforms in India with the majority of citizens relying on it to travel on trains, the implications could have been massive.
Explaining how the vulnerability was found,
said, “While I was booking a ticket as a normal human I suddenly got an idea to test for vulnerabilities.” In his mail to CERT-In (a copy of which is present with The Times of India--GadgetsNow), he wrote, “Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another's tickets, you will get all the sensitive details. You can also cancel someone's ticket or do anything malicious.”
“I tried for IDOR and decreased the number of the transaction ID and forwarded the packet. And Yeah! I got a random user’s transaction and ticket details like Train Number, Departure time, Duration of the journey, PNR number, Status of the ticket, Boarding station, Passenger's information like their names, seat details, gender & age,” he added.