IRCTC fixes bug on website after school student raises alarm
The class 12 student discovered the bug that leaked the transaction details of millions of travelers, when he was trying to book tickets on August 30
Indian Railway Catering and Tourism Corporation Ltd (IRCTC) on Tuesday said that it has fixing a bug on its e-ticketing platform after a Chennai-based class 12 student raised an alarm over the presence of Insecure Direct Object References (IDOR) – a type of access control vulnerability. The vulnerability arises when an application uses user-supplied input to access objects directly.
IRCTC’s IT wing fixed the bug immediately once the complaint was reported, a senior official said. The issue was reported on August 30 and was fixed on September 2, he said, adding that now, the e-ticketing system is well protected.
IDOR, one of the most common bugs
P Renganathan, a plus two student of a private school in Tambaram, identifies himself as an ethical hacker said that he discovered a critical IDOR by accident, that leaked the transaction details of millions of travelers, when he was trying to book tickets on August 30. Then, he had reported the same to the Indian Computer Emergency Response Team (CERT-In). It was the most common bug, he adds.
He explained that he discovered the critical IDOR by going to the account ticket history, and clicking on any ticket with burp suite turned on, which leaked the transaction details of millions of travelers. Then, by changing the transaction ID to get access to another’s tickets, all the sensitive details will be available to you. “This can lead to cancellation of someone’s ticket or do anything malicious”, he said in an email complaint to CERT-In, under the Union Ministry of Electronics and Information Technology.
Renganathan who is also a cyber security researcher, said that the user who booked the ticket and the ticket should be validated so that no one else can access it except the booked user, as a mitigation.
In an email on September 11, 2021 he was thanked for reporting the incident to CERT-In, with the confirmation that the issue has been resolved, by the authorities.
Ranganathan has been acknowledged by Linkedin, BYJU’s, Lenovo, United Nations, Nike for reporting security vulnerabilities in their web applications.