IRCTC Fixes Security Bug After Two Years of Leaving Users Exposed
- IRCTC is India’s largest e-commerce platform, and it handles the catering, tourism, and e-ticketing of the Indian Railways.
- A security bug was exposed two years ago that left user data of 200,000 users exposed.
- The bug was present in both the IRCTC website and the mobile app.
Despite being the largest e-commerce platform in India, IRCTC is quite lax about its security. The IRCTC (Indian Railway Catering and Tourism Corporation) handles all online ticketing and other services for the Indian Railways, making it one of the most popular services in the country. According to security researcher Avinash Jain, a security bug was present on the website for at least 2 years without any fixes.
Jain discovered the bug in August and revealed that over 200,000 users might have been affected in the past two years. The IRCTC may have given unrestricted access to hackers, and with 600,000 users booking their online tickets every day on the platform, it is quite alarming that the company chose to let the issue remain unattended. The security researcher was able to pull the data of nearly 1,000 passengers in less than 10 minutes. India’s security situation is not very promising with 53,081 reported security incidents in 2017 alone according to the Indian Computer Emergency Response Team(CERTin).
The security researcher revealed “To get the personal details of a traveler, we needed a valid combination of the transaction ID and passenger name record (PNR) number. We were able to fetch details of any passenger by decoding the encrypted data (transaction ID/PNR) through brute force.”
It is unknown how many users have been affected by the bug as it was only discovered in August. The bug was present on the IRCTC website as well as the mobile app. Both the website and the app used to link users to a third-party website for free travel insurance, which is where the bug was present. Hackers could gain access to private user data like name, age, gender and even the nominees for insurance selected on the insurance website.
What do you think about the IRCTC bug? Let us know in the comments below. Get instant updates on TechNadu’s Facebook page, or Twitter handle.