P Renganathan, a 17-year-old school student from Chennai, encountered and reported a bug in the Indian Railway Catering and Tourism Corporation's (IRCTC) online ticketing platform that might have exposed the personal information of millions of passengers.
Based on the teenager's report, India's Computer Emergency Response Team (CERT) flagged the vulnerability to the IRCTC, which then rectified it, preventing a potential compromise of millions of user records from the country's largest online ticket reservation service. The bug was corrected, and the IRCTC acknowledged it as well.
While booking a train ticket using the IRCTC portal a few days ago, Renganathan discovered flaws that might undermine security features, as reported by The Hindu. He was able to obtain the journey details of other passengers, including name, gender, age, PNR number, train details, departure station, and date of journey, due to the website's significant Insecure Object Direct References (IDOR) vulnerability.
"Since the back-end code is identical, a hacker might have ordered food, changed the boarding location, or even cancelled the ticket without the knowledge of the legitimate traveller. In the user profile of other travellers, further services such as domestic/international tourism, bus tickets, and hotel bookings would have been possible. Most crucially, there was a risk of a massive database including millions of passengers being exposed," said Renganathan, as reported by The Hindu.
On August 30, the teenager had raised the matter with CERT, India, which had immediately contacted the IRCTC. The error was corrected within five days later, and the IRCTC recognized it, according to Renganathan.
Renganathan aspires to work in computer science while continuing his study on online application security.