Chennai school student helps IRCTC fix bug on its online platform


Chennai, Sep 21 (IANS): A 17-year-old plus two student in a private school in Chennai's Tambaram has helped the Indian Railway Catering and Tourism Corporation (IRCTC) fix a bug in its online ticketing platform, which could have exposed millions of passengers and their private information.

Ranganathan said that the critical Insecure Object Direct References (IODR) vulnerability on the website helped him to access the journey details of other passengers.

He told media persons that while he was logging into the IRCTC site for booking a ticket, he found that he could access the details of other passengers that could compromise the security features of the website.

The vulnerability helped him to access details of other passengers including name, gender, age, PNR number, train details, departure station, and date of journey.

Ranganathan said that as the back end code was the same, a hacker could have ordered food in the name of another passenger, changed the boarding station, and even cancelled the ticket without the knowledge of the passenger.

He said that more than this, there was the risk of the database of millions of passengers being compromised or leaked.

IRCTC officials said that Ranganathan had reported the matter to the Computer Emergency Response Team (CERT) on August 30, and the IRCTC was alerted. The problem was fixed in five days.

The teenager had earlier got acknowledgments from Linkedin, the United Nations, Nike, and several others for alerting them of the vulnerabilities in their websites.

 

  

Top Stories


Leave a Comment

Title: Chennai school student helps IRCTC fix bug on its online platform



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.