The critical Insecure Object Direct References (IDOR) vulnerability on the website enabled him to access the journey details of other passengers
A city school student has helped the Indian Railway Catering and Tourism Corporation (IRCTC) fix a bug on its online ticketing platform that could have exposed private information of millions of passengers.
Acting on his alert, the Computer Emergency Response Team, India, conveyed the vulnerability to the IRCTC that fixed the glitch, preventing a possible hacking of the largest online ticketing portal in the country.
According to P. Renganathan (17), a Standard 12th student of a private school at Tambaram in Chennai, he was booking a train ticket by logging into the IRCTC portal a few days ago when he found certain vulnerabilities that could compromise the security features. The critical Insecure Object Direct References (IDOR) vulnerability on the website enabled him to access the journey details of other passengers such as name, gender, age, PNR number, train details, departure station and date of journey.
“Since the back-end code is the same, a hacker would have been able to order food, change the boarding station and even cancel the ticket without the knowledge of the bonafide passenger. Other services like domestic/international tourism, bus tickets and hotel bookings would have been possible in the user profile of other passengers. Most importantly, there was a risk of a huge database of millions of passengers getting leaked,” Renganathan said.
On August 30, 2021, he reported the vulnerability to the CERT, India, which raised a ticket within minutes. Five days later, the bug was fixed and acknowledged by the IRCTC, says Renganathan.
The teenager says he has got acknowledgements from LinkedIn, United Nations, Nike and Lenovo among others for reporting security vulnerabilities on their web applications.
Renganathan wants to pursue a career in Computer Science, while continuing independent research on security of web applications.
Source: Read Full Article