A 17-year-old school student from Chennai has identified and flagged a bug in the online ticketing platform of the Indian Railway Catering and Tourism Corporation (IRCTC) that could have made the private information of millions of passengers vulnerable, according to news reports. The bug has then been fixed and was also acknowledged by the IRCTC. Also, the IRCTC has said that their e-ticketing system is well protected with the state of the art cyber-security technologies.
The Computer Emergency Response Team (CERT), India, based on the alert by the teenager, marked the vulnerability to the IRCTC, which then fixed it, thus preventing the potential hack of millions of user records from the largest online ticket reservation portal in the country.
P Renganathan, the 17-year-old class 12 student from Tambaram, Chennai, said that he tried to reserve a train ticket by logging into the IRCTC’s portal a few days earlier, during which he came across certain vulnerabilities in the system that could compromise its security features, according to a report. Renganathan could access the data about the other passengers such as name, gender and age and also journey-related data such as PNR number, train details, departure station and the data of journey, due to the critical Insecure Object Direct References (IDOR) vulnerability on the platform, the report also showed.
He said that a hacker could have been able to cancel a ticket of the passenger without their knowledge, a claim that the IRCTC has denied, due to the vulnerability and it caused the risk of the data of millions of passengers being leaked.
“Since the back-end code is the same, a hacker would have been able to order food, change the boarding station and even cancel the ticket without the knowledge of the bona fide passenger. Other services like domestic/international tourism, bus tickets and hotel bookings would have been possible in the user profile of other passengers. Most importantly, there was a risk of a huge database of millions of passengers getting leaked,”.
“Railways E-ticketing system is a well-protected system equipped with state of the art cyber security technologies at Network, System and Application layers. The system has been regularly audited by third-party security auditors for security vulnerabilities. The website ensures secure data transfer with its users and payment gateways/ Banks with end to end data encryption. However, as and when any bugs and vulnerabilities are reported from any quarters, it is taken up and resolved,” IRCTC’s PRO Anand Kumar Jha said.
