When 17-year-old P. Renganathan from Chennai, Tamil Nadu was trying to book a train ticket for one of his family members, he discovered a fatal flow in IRCTC’s website.
The teen’s hacker sense led him to a huge vulnerability on Indian Railway Catering and Tourism Corporation’s (IRCTC) website which could have compromised data of millions of its users. “I was booking a ticket for one of my family members, I had an instinct that this particular bug called IDOR would be present for sure. It is a very common flaw found on applications like IRCTC”, Renganathan told Indiatimes.
On September 23, Renganathan was invited by Tamil Nadu’s Minister for Information Technology, Thiru T. Mano Thangaraj to acknowledge the teenager’s efforts in preventing a data leak from IRCTC’s database.
The teenage tech wizard was then able to find the flaw in 5 minutes. “After booking the ticket, it took me five minutes to find this flaw”, he told Indiatimes.
In Renganathan’s words, he simply went to the booking ticket history option on IRCTC portal and accessed the transaction ID which is written into the server through a backend code.
With the 13 digital transaction ID and assistance from a tool, Renganathan was able to access tickets of other passengers, along with their personal details. In the code, he changed the basic numerical value that may be randomly assigned to all tickets, giving him access to essentially everything.
After making a few tweaks in the code of the website’s ticket booking portal, Renganathan found that he was able to access random transacation and ticket details of the passengers including train number, departure time, PNR number, status of the ticket, personal information of the passenger including names, gender and age.
While the 17-year-old’s intentions were noble, other hackers may not be so benevolent. Renganathan explained to Indiatimes how black hat hackers could have “written a script that would have cancelled passenger tickets of 100,000 or a million people in a few minutes… even seconds”. In addition, he claimed that criminal hackers could have scrapped all user data to be later sold on the dark web in exchange for any cryptocurrency like bitcoin.
Full Article: https://www.indiatimes.com/technology/news/white-hacker-irctc-bug-p-renganathan-550124.html