IRCTC fixes bug after school student raises alarm
The Indian Railway Catering and Tourism Corporation Ltd. (IRCTC) fixed a bug on its e-ticketing platform after a plus two lad from Chennai raised an alarm over the presence of Insecure Direct Object References (IDOR), a type of access control vulnerability in the booking site. The IT wing of the IRCTC, which took note of the complaint, immediately resolved the vulnerability issue.
Our e-ticketing system is well-protected now: Senior Official
Our e-ticketing system is well-protected (now). The issue was reported on August 30 and it was fixed on September 2, a senior official said on Tuesday. The IDOR, a type of access control vulnerability, arises when an application uses user-supplied input to access objects directly.
Accidentally discovered a critical IDOR that leaks transaction details: Student
"I accidentally discovered a critical IDOR that leaks the transaction details of millions of travelers, when I was trying to book tickets on August 30," P Renganathan, a plus-two student of a private school in Tambaram, said. "It was the most common bug. Immediately, I reported it to the Indian Computer Emergency Response Team (CERT-In)," the student added.
Renganathan had sent an email complaint to CERT-In
"I've discovered a critical IDOR that leaks the transaction details of travelers. Go to your account ticket history, click on any ticket with burp suite turned on," he wrote in an email complaint to CERT-In, under the Union Ministry of Electronics and Information Technology. "Now change the transaction ID to gain access to another's tickets, you will get all the sensitive details," he added.
Renganathan identifies himself as an ethical hacker
"You can also cancel someone's ticket or do anything malicious," he added in the complaint. As mitigation, Renganathan who identifies himself as an ethical hacker and cyber security researcher said that the booked user and ticket should be validated so that no one else can access it except the booked user.
Renganathan has identified and reported security vulnerabilities in major sites
Renganathan, currently pursuing a commerce group, has been acknowledged by LinkedIn, United Nations, BYJU's, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications. "Schools across Tamil Nadu re-opened only for classes ninth to twelfth on September 1. I have opted for online classes owing to the pandemic," he said.
