17-Yr-Old Chennai Boy Spots Bug In IRCTC Online Ticketing Platform, Helps Fix It
Writer: Shweta Routh
Shweta Routh 2nd year student of School of Mass Communication, KIIT University. Versed with 3 languages, secured 1st position in all over district, Hindustan Commerce Olympiad and also won the title of student of the year during her school time. She loves to make new friends and explore new things and is a strong believer of Karma.
Tamil Nadu, 22 Sep 2021 10:22 AM GMT
Editor : Palak Agrawal |
Palak a journalism graduate believes in simplifying the complicated and writing about the extraordinary lives of ordinary people. She calls herself a " hodophile" or in layman words- a person who loves to travel.
Creatives : Palak Agrawal
Palak a journalism graduate believes in simplifying the complicated and writing about the extraordinary lives of ordinary people. She calls herself a " hodophile" or in layman words- a person who loves to travel.
While booking a train ticket using the IRCTC portal a few days ago, P Renganathan discovered flaws that might undermine security features and enable a person to access the database of millions of passengers.
P Renganathan, a 17-year-old school student from Chennai, encountered and reported a bug in the Indian Railway Catering and Tourism Corporation's (IRCTC) online ticketing platform that might have exposed the personal information of millions of passengers.
Based on the teenager's report, India's Computer Emergency Response Team (CERT) flagged the vulnerability to the IRCTC, which then rectified it, preventing a potential compromise of millions of user records from the country's largest online ticket reservation service. The bug was corrected, and the IRCTC acknowledged it as well.
While booking a train ticket using the IRCTC portal a few days ago, Renganathan discovered flaws that might undermine security features, as reported by The Hindu. He was able to obtain the journey details of other passengers, including name, gender, age, PNR number, train details, departure station, and date of journey, due to the website's significant Insecure Object Direct References (IDOR) vulnerability.
"Since the back-end code is identical, a hacker might have ordered food, changed the boarding location, or even cancelled the ticket without the knowledge of the legitimate traveller. In the user profile of other travellers, further services such as domestic/international tourism, bus tickets, and hotel bookings would have been possible. Most crucially, there was a risk of a massive database including millions of passengers being exposed," said Renganathan, as reported by The Hindu.
Problem Resolved
On August 30, the teenager had raised the matter with CERT, India, which had immediately contacted the IRCTC. The error was corrected within five days later, and the IRCTC recognized it, according to Renganathan.
Renganathan aspires to work in computer science while continuing his study on online application security.
Also Read: 15-Yr-Old Girl Gangraped By Five In Jharkhand, Three Arrested