Teenager flags bug in IRCTC’s system

The critical Insecure Object Direct References (IDOR) vulnerability on the website enabled him to access the journey details of other passengers

September 21, 2021 02:48 am | Updated 07:34 pm IST - CHENNAI

P. Renganathan, a Standard 12th student, flagged the bug in IRCTC’s system. Photo: Special Arrangement

P. Renganathan, a Standard 12th student, flagged the bug in IRCTC’s system. Photo: Special Arrangement

A city school student has helped the Indian Railway Catering and Tourism Corporation (IRCTC) fix a bug on its online ticketing platform that could have exposed private information of millions of passengers.

Acting on his alert, the Computer Emergency Response Team, India, conveyed the vulnerability to the IRCTC that fixed the glitch, preventing a possible hacking of the largest online ticketing portal in the country.

According to P. Renganathan (17), a Standard 12th student of a private school at Tambaram in Chennai, he was booking a train ticket by logging into the IRCTC portal a few days ago when he found certain vulnerabilities that could compromise the security features. The critical Insecure Object Direct References (IDOR) vulnerability on the website enabled him to access the journey details of other passengers such as name, gender, age, PNR number, train details, departure station and date of journey.

“Since the back-end code is the same, a hacker would have been able to order food, change the boarding station and even cancel the ticket without the knowledge of the bonafide passenger. Other services like domestic/international tourism, bus tickets and hotel bookings would have been possible in the user profile of other passengers. Most importantly, there was a risk of a huge database of millions of passengers getting leaked,” Renganathan said.

Issue resolved

On August 30, 2021, he reported the vulnerability to the CERT, India, which raised a ticket within minutes. Five days later, the bug was fixed and acknowledged by the IRCTC, says Renganathan.

The teenager says he has got acknowledgements from LinkedIn, United Nations, Nike and Lenovo among others for reporting security vulnerabilities on their web applications.

Renganathan wants to pursue a career in Computer Science, while continuing independent research on security of web applications.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.