India’s largest e-ticketing platform repairs bug after school student raises alarm


< img src="" class="ff-og-image-inserted" > Chennai: The Indian Railway Catering and Tourist Corporation Ltd. (IRCTC) fixed a bug on its e-ticketing platform after a plus 2 lad from the city raised an alarm over the existence of Insecure direct object references (IDOR) – a kind of access control vulnerability in the reserving website.

The IT wing of the IRCTC which took note of the complaint, right away dealt with the vulnerability concern that has been reported, a senior authorities said on Tuesday.

” Our e-ticketing system is well safeguarded (now). The problem was reported on August 30 and it was fixed on September 2, ” he included.

The IDOR, a kind of access control vulnerability, emerges when an application utilizes user-supplied input to gain access to objects directly.

” I accidently found a crucial IDOR that leaks the deal information of millions of tourists, when I was attempting to book tickets on August 30. It was the most typical bug. Instantly, I reported about it to the Indian Computer System Emergency Response Group (CERT-In), ” P Renganathan, a plus two trainee of a personal school in Tambaram here, stated.

” I have actually discovered a crucial IDOR that leakages the transaction information of millions of travelers. Go to your account ticket history, click on any ticket with burp suite turned on. Now alter the transaction ID to get to another’s tickets, you will get all the sensitive information. You can also cancel someone’s ticket or do anything harmful, ” he said in an email grievance to CERT-In, under the Union Ministry of Electronic Devices and Information Innovation.

As a mitigation, Renganathan who identifies himself as ethical hacker and cyber security scientist, said that the scheduled user and ticket must be validated so that nobody else can access it other than the reserved user.

On September 11, 2021, he received a mail thanking him for reporting the incident to CERT-In and likewise a verification that the “reported vulnerability has been solved ” by the authorities concerned.

Renganathan, currently pursuing commerce group, has actually been acknowledged by LinkedIn, United Nations, BYJU’s, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.

Schools across Tamil Nadu re-opened just for classes ninth to twelfth on September 1. “I have actually chosen online classes owing to the pandemic, ” he said.

Published at Tue, 21 Sep 2021 06:28:12 -0500