NEW DELHI: At a recent expo, an independent security researcher named Renganathan P recently alerted the Indian Computer Emergency Response Team (Cert-in) on a significant vulnerability in the IRCTC platform that allowed easy access to the private information of billions of passengers. Not only that, exploiting the IDOR (Insecure direct object reference) The vulnerability in IRCTC could even have allowed the attacker to cancel reserved random passenger train tickets.
The IDOR vulnerability in IRCTC also allowed anyone to change the boarding point (of the train), order food, book a hotel, a tour package and even book a bus, according to Renganathan.
Renganathan, who claims to have helped LinkedIn, United Nations, BYJU, Nike, Lenovo, Upstox fix security vulnerabilities in their web applications, reported the issue to CERT-In on August 30, 2021, emailing “incident @ cert-in .org.in. ”The IDOR vulnerability was fixed on September 4 and the IRCTC acknowledged the same on September 11.
It is not possible to determine how long this vulnerability was present on the IRCTC platform. Furthermore, there is little official information on whether or not this vulnerability was exploited. We do not know at this time if any user was directly affected due to this technological problem.
Considering that IRCTC is one of the largest ticket booking platforms in India and most citizens depend on it for train travel, the implications could have been enormous.
Explaining how the vulnerability was found, Renganathan He said: “While booking a ticket as a normal human, I suddenly came up with an idea to test for vulnerabilities.” In your mail to CERT-In (a copy of which is present with The Times of India – GadgetsNow) wrote, “Go to your account’s ticket history, click on any ticket with the burp suite turned on. Now change the transaction ID to get access to someone else’s tickets, you will get all the confidential details. You can also cancel someone’s ticket or do something malicious. ”
“Tried with IDOR and decreased the number of transaction IDs and resent the packet. What if! I got the transaction from a random user and the ticket details like train number, departure time, trip duration, PNR number, ticket status, boarding station, passenger information like their names , details of the seat, sex and age ”, he added.