Atom

IRCTC fixes bug on e-ticketing platform after Chennai student raises alarm

P Renganathan, a Class 12 student, raised an alarm over the presence of Insecure Direct Object References (IDOR) - a type of access control vulnerability in the booking site.

Written by : PTI

The Indian Railway Catering and Tourism Corporation Ltd. (IRCTC) fixed a bug on its e-ticketing platform after a Class 12 student from Chennai raised an alarm over the presence of Insecure Direct Object References (IDOR) - a type of access control vulnerability in the booking site. The IT wing of the IRCTC, which took note of the complaint immediately resolved the vulnerability issue that has been reported, a senior official said on Tuesday, September 21.

“Our e-ticketing system is well-protected (now). The issue was reported on August 30 and it was fixed on September 2,” he added.

The IDOR, a type of access control vulnerability, arises when an application uses user-supplied input to access objects directly. “I accidentally discovered a critical IDOR that leaks the transaction details of millions of travelers, when I was trying to book tickets on August 30. It was the most common bug. Immediately, I reported it to the Indian Computer Emergency Response Team (CERT-In),” P Renganathan, a student at a private school in Tambaram, said.

“I've discovered a critical IDOR that leaks the transaction details of millions of travelers. Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another's tickets, you will get all the sensitive details. You can also cancel someone's ticket or do anything malicious,” he said in an email complaint to CERT-In, under the Union Ministry of Electronics and Information Technology.

As mitigation, Renganathan who identifies himself as an ethical hacker and cyber security researcher said that the booked user and ticket should be validated so that no one else can access it except the booked user.

On September 11, 2021, he received a mail thanking him for reporting the incident to CERT-In and also a confirmation that the reported vulnerability had been resolved by the authorities concerned.

Renganathan has, previously, been acknowledged by LinkedIn, United Nations, BYJU's, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.

Bengaluru officials demand parental consent for interfaith weddings: A TNM investigation

‘Democracy khatre main hai’: The Donald Trump Edition | US Election 2024 with Sreenivasan Jain

Tension in Karnataka’s Haveri after BJP says temples will become Waqf properties

Caste is reason for India having higher child stunting than sub-Saharan Africa

Kerala APP suicide: 10 months on no chargesheet, accused back at work