IRCTC's weird 'captcha' bug risked lakhs of accounts: Here's how
A few years ago, India's central train ticketing system IRCTC compromised details of over 1 crore users in a major breach. The hack raised cybersecurity alarms across the nation, but as it turns out, the portal is still struggling to maintain its security. It was recently plagued by a bug that put lakhs of accounts and their data at risk. Here's all about it.
Karunya University student flagged 'captcha' vulnerability
Just recently, Ronnie T Baby, a Karunya University student, detailed a 'captcha' bug in the 'forgot password' section of IRCTC's website. Whenever a user employs this option, IRCTC sends an OTP, which has to be entered with a captcha for easy password resetting. However, in this case, the website allowed him to enter OTPs indefinitely by reusing the same captcha given on the page.
This opened gates for brute force attacks
This, as Baby emphasized, opened lakhs of accounts on the service to the risk of typical brute force attacks, where an attacker could have used automated tools to try out different combinations of OTPs for easily-retrievable usernames. Notably, in this case, the OTP was of 6 digits, which meant it would be within 999999 and made the whole OTP prediction process even easier.
Hacked IRCTC accounts would have meant serious security concerns
In his investigation, Baby was able to leverage the bug to break into an account with a brute force tool, something, he stressed, any bad actor could have also done. Naturally, this risked the confidential travel information of lakhs of people, including details like emails, numbers, and addresses. Not to mention, an attacker could have even used the hacked accounts to cancel booked tickets.
However, the issue has now been fixed
That said, it is important to note that the bug was patched weeks after its detection in January. IRCTC has not commented on the matter or explained if any accounts were really compromised from the exploitation of the bug. Either way, the existence of the issue itself shows that the platform still has a lot more to do to bolster its security.
