The IT wing of the IRCTC, which took note of the complaint, immediately resolved the vulnerability issue

IRCTC fixes bug after school student raises alarm

By Varnika Sharma

Sep 21, 2021

06:45 pm

---

What's the story

The Indian Railway Catering and Tourism Corporation Ltd. (IRCTC) fixed a bug on its e-ticketing platform after a plus two lad from Chennai raised an alarm over the presence of Insecure Direct Object References (IDOR), a type of access control vulnerability in the booking site.

The IT wing of the IRCTC, which took note of the complaint, immediately resolved the vulnerability issue.

Information

Our e-ticketing system is well-protected now: Senior Official

Our e-ticketing system is well-protected (now). The issue was reported on August 30 and it was fixed on September 2, a senior official said on Tuesday. The IDOR, a type of access control vulnerability, arises when an application uses user-supplied input to access objects directly.

Bug

Accidentally discovered a critical IDOR that leaks transaction details: Student

"I accidentally discovered a critical IDOR that leaks the transaction details of millions of travelers, when I was trying to book tickets on August 30," P Renganathan, a plus-two student of a private school in Tambaram, said.

"It was the most common bug. Immediately, I reported it to the Indian Computer Emergency Response Team (CERT-In)," the student added.

Complaint

Renganathan had sent an email complaint to CERT-In

"I've discovered a critical IDOR that leaks the transaction details of travelers. Go to your account ticket history, click on any ticket with burp suite turned on," he wrote in an email complaint to CERT-In, under the Union Ministry of Electronics and Information Technology.

"Now change the transaction ID to gain access to another's tickets, you will get all the sensitive details," he added.

Details

Renganathan identifies himself as an ethical hacker

"You can also cancel someone's ticket or do anything malicious," he added in the complaint.

As mitigation, Renganathan who identifies himself as an ethical hacker and cyber security researcher said that the booked user and ticket should be validated so that no one else can access it except the booked user.

Other details

Renganathan has identified and reported security vulnerabilities in major sites

Renganathan, currently pursuing a commerce group, has been acknowledged by LinkedIn, United Nations, BYJU's, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.

"Schools across Tamil Nadu re-opened only for classes ninth to twelfth on September 1. I have opted for online classes owing to the pandemic," he said.