17-year-old teenager from Chennai has identified and flagged a bug in IRCTC's online ticketing platform

A 17-year-old school student from Chennai has identified and flagged a bug in the online ticketing platform of the Indian Railway Catering and Tourism Corporation (IRCTC) that could have made the private information of millions of passengers vulnerable, according to news reports on Tuesday. The bug has then been fixed and was also acknowledged by the IRCTC.

The Computer Emergency Response Team (CERT), India, based on the alert by the teenager, marked the vulnerability to the IRCTC, which then fixed it, thus preventing the potential hack of millions of user records from the largest online ticket reservation portal in the country.

P Renganathan, the 17-year-old class 12 student from Tambaram, Chennai, said that he tried to reserve a train ticket by logging into the IRCTC's portal a few days earlier, during which he came across certain vulnerabilities in the system that could compromise its security features, according to a report in The Hindu on Tuesday. Renganathan could access the data about the other passengers such as name, gender and age and also



journey-related data such as PNR number, train details, departure station and the data of journey, due to the critical Insecure Object Direct References (IDOR) vulnerability on the platform, the report also showed.

He said that a hacker could have been able to cancel a ticket of the passenger without their knowledge due to the vulnerability and it caused the risk of the data of millions of passengers being leaked.

'Since the back-end code is the same, a hacker would have been able to order food, change the boarding station and even cancel the ticket without the knowledge of the bona fide passenger. Other services like domestic/international tourism, bus tickets and hotel bookings would have been possible in the user profile of other passengers. Most importantly, there was a risk of a huge database of millions of passengers getting leaked,' The Hindu quoted him as saying.

Earlier on August 30 the teenager had raised the issue with CERT, India, which had notified the IRCTC immediately. The bug was fixed five days later by the IRCTC, the report showed.