NewsBytes
    Hindi Tamil Telugu
    More
    In the news
    Narendra Modi
    Amit Shah
    Box Office Collection
    Bharatiya Janata Party (BJP)
    OTT releases
    Hindi Tamil Telugu
    NewsBytes
    User Placeholder

    Hi,

    Logout

    India
    Business
    World
    Politics
    Sports
    Technology
    Entertainment
    Auto
    Lifestyle
    Inspirational
    Career
    Bengaluru
    Delhi
    Mumbai

    Download Android App

    Follow us on
    • Facebook
    • Twitter
    • Linkedin
    Home / News / Technology News / IRCTC's weird 'captcha' bug risked lakhs of accounts: Here's how
    Next Article
    IRCTC's weird 'captcha' bug risked lakhs of accounts: Here's how

    IRCTC's weird 'captcha' bug risked lakhs of accounts: Here's how

    By Shubham Sharma
    Feb 22, 2019
    11:22 am

    What's the story

    A few years ago, India's central train ticketing system IRCTC compromised details of over 1 crore users in a major breach.

    The hack raised cybersecurity alarms across the nation, but as it turns out, the portal is still struggling to maintain its security.

    It was recently plagued by a bug that put lakhs of accounts and their data at risk.

    Here's all about it.

    Issue

    Karunya University student flagged 'captcha' vulnerability

    Just recently, Ronnie T Baby, a Karunya University student, detailed a 'captcha' bug in the 'forgot password' section of IRCTC's website.

    Whenever a user employs this option, IRCTC sends an OTP, which has to be entered with a captcha for easy password resetting.

    However, in this case, the website allowed him to enter OTPs indefinitely by reusing the same captcha given on the page.

    Attack

    This opened gates for brute force attacks

    This, as Baby emphasized, opened lakhs of accounts on the service to the risk of typical brute force attacks, where an attacker could have used automated tools to try out different combinations of OTPs for easily-retrievable usernames.

    Notably, in this case, the OTP was of 6 digits, which meant it would be within 999999 and made the whole OTP prediction process even easier.

    Risk

    Hacked IRCTC accounts would have meant serious security concerns

    In his investigation, Baby was able to leverage the bug to break into an account with a brute force tool, something, he stressed, any bad actor could have also done.

    Naturally, this risked the confidential travel information of lakhs of people, including details like emails, numbers, and addresses.

    Not to mention, an attacker could have even used the hacked accounts to cancel booked tickets.

    Patch

    However, the issue has now been fixed

    That said, it is important to note that the bug was patched weeks after its detection in January.

    IRCTC has not commented on the matter or explained if any accounts were really compromised from the exploitation of the bug.

    Either way, the existence of the issue itself shows that the platform still has a lot more to do to bolster its security.

    Facebook
    Whatsapp
    Twitter
    Linkedin
    Related News
    Latest
    India
    Security
    Indian Railway Catering and Tourism Corporation

    Latest

    Yashasvi Jaiswal reverses decision to leave Mumbai for Goa Yashasvi Jaiswal
    Google Messages now lets you unsend texts: Here's how Google
    37% surge in a month! Bitcoin surpasses $100,000 once again Bitcoin
    BJP's Janardhana Reddy disqualified as MLA after illegal mining conviction Central Bureau Of Investigation (CBI)

    India

    How to get PAN for minors PAN Card
    Samsung Galaxy A50 to feature Infinity-U display, key specifications leaked Samsung
    Saudi Crown Prince signs $20bn investment agreements with Pakistan Pakistan News
    Pulwama aftermath: Pakistan recalls envoy for 'consultations', follows India's footsteps Pakistan News

    Security

    Beware! This malware can compromise your phone, steal banking credentials Android
    Pentagon data breach: 30,000 DoD staffers' data compromised Data Leak
    Beware! New iPhone hack lets attackers view, share your photos iPhone
    Twitter employee spied on users for Saudi intelligence: Report X

    Indian Railway Catering and Tourism Corporation

    IRCTC is offering 50% discount on Maharajas Express tickets India
    Train 18, India's first engine-less train, trial-run today: Details here India
    IRCTC Foreign Tourist Quota: Booking rules and charges India
    IRCTC-scam: Lalu Yadav to appear through video conference, court orders Lalu Prasad Yadav
    Indian Premier League (IPL) Celebrity Hollywood Bollywood UEFA Champions League Tennis Football Smartphones Cryptocurrency Upcoming Movies Premier League Cricket News Latest automobiles Latest Cars Upcoming Cars Latest Bikes Upcoming Tablets
    About Us Privacy Policy Terms & Conditions Contact Us Ethical Conduct Grievance Redressal News News Archive Topics Archive Download DevBytes Find Cricket Statistics
    Follow us on
    Facebook Twitter Linkedin
    All rights reserved © NewsBytes 2025