Chennai, Sept 21 (BPNS)
A 17 year old Plus two student in a private school at Tambaram, Chennai has helped the Indian Railway Catering and Tourism Corporation (IRCTC) fix a bug in its online ticketing platform. This flaw could have exposed millions of passengers and their private information.
The student, Ranganathan said that the critical Insecure Object Direct References (IODR) vulnerability on the website helped him to access the journey details of other passengers.
The 17-year-old told media persons that while he was logging into the IRCTC site for booking a ticket he found that he could access the details of other passengers that could compromise the security features of the website.
He said that the vulnerability helped him to access details of other passengers including name, gender, age, PNR number, train details, departure station, and date of journey.
Ranganathan said that as the back end code was the same, a hacker could have ordered food in the name of another passenger, change the boarding station, and can even cancel the ticket without the knowledge of the passenger.
He said that more than this there was the risk of the database of millions of passengers being compromised or leaked.
IRCTC officials said that Ranganathan had reported the matter to the Computer Emergency Response Team (CERT) on August 30, 2021, and IRCTC was alerted. The problem was fixed in five days.
The teenager had earlier got acknowledgments from Linkedin, United Nations, Nike, and several other companies for alerting them of the vulnerabilities in their websites.
