P Ranganathan, a 17-year-old boy of a private school in Chennai Tambaram recently spotted a bug in the Indian Railway Catering And Tourism Corporation IRCTC website and has also helped to fix a bug in the online ticketing platform. According to the 17-year-old boy Ranganathan, this bug would have exposed millions of passengers and their private information. He further said that the Critical Insecure Object Direct References (IODR) vulnerability of the website led him to access the details of the journey of the passengers. While talking to media persons he told that to book a ticket he login to the IRCTC site and then he found that he was accessible to the details of other passengers and that could definitely compromise the security features of the website.
The vulnerability which he mentioned led him to access the details and private information of passengers which includes the name gender PNR number departure station train details and also the date of journey. Ranganathan further explains that as the backend code was the same, a person who wants to hack the website could have also ordered food in the name of any other passenger and can also change the boarding station of the passenger. Not only this, the hacker can even cancel the ticket and passengers will have no idea about this. He also said that in addition to this the biggest risk is the leaking of the database of millions of passengers.
According to the report of The Hindu, talking about this, Ranganathan further said, “since the backend code is identical a hacker might have ordered food, changed the boarding location, or even canceled the ticket without the knowledge of the legitimate traveler. In the user profile of other travelers for the services such as domestic/international tourism, bus tickets, and hotel bookings would have been possible. Most crucially there was a risk of the massive database including millions of passengers being exposed.”
And based on the teenager’s report, India’s CERT – Computer Emergency Response Team, noted the vulnerability of the IRCTC website and also solved it and thus, helped to prevent the leak of the database of millions of users from the country’s largest online ticket reservation service. The bug was solved and the IRCTC acknowledged it as well.
P Ranganathan noted the bugs and on August 30, he informed about it and raised the concern with CERT, India. And then they immediately contacted the IRCTC. According to Ranganathan, the error was also corrected within 5 days and the IRCTC also recognized it. According to an official of the IRCTC, the official said, “our e-ticketing system is well protected now. The issue was reported on August 30 and it was fixed on September 2.” Ranganathan also received an email from IRCTC thanking him for reporting the bug and protecting the data of millions of people.
Ranganathan wishes to work in computer science and also continue his study on online application security. Amazingly, the teenager has also got acknowledgments from giant websites like the United Nations, Nike, LinkedIn, and several others for alerting them about the bugs and vulnerabilities of their website.