Did IRCTC take two years to fix security bug exposing info of thousands of passengers?

A security researcher estimates that the vulnerability left at least 200,000 passengers and their nominee details exposed.
Did IRCTC take two years to fix security bug exposing info of thousands of passengers?
Did IRCTC take two years to fix security bug exposing info of thousands of passengers?
Written by:

One of India’s oldest and most-visited websites, IRCTC, might have been carrying a security vulnerability for over two years. Owned by Indian Railway Catering & Tourism Corporation, close to 600,000 rail tickets are booked in a day through this online facility, which is almost a third of all tickets sold by Railways.

According to an Economic Times report, the bug relates to a free offer of travel insurance for every ticket booked on the IRCTC site for which a link is sent as soon as the ticket booking process is completed. IRCTC introduced the travel insurance in December’s 2016 for those who booked tickets on the website and app.

The passenger then has to visit the insurer’s site to provide details. There are three insurance companies, Sriram General Insurance, ICICI Lombard General Insurance and Royal Sundaram General Insurance. This particular vulnerability appears to have existed in the link to the Sriram General Insurance site only.

The bug was reported to IRCTC and has since been removed according to a report. The worrying part is that the bug may have been there for a period of 2 years during which, thousands of personal details of passengers might have been lying exposed for any hacker to exploit. However, there is no confirmed report of theft of data. There are roughly 200,000 registered users on the IRCTC website. The free travel insurance is no longer available.

The bug was detected by Avinash Jain, which he claims he reported to IRCTC on August 14 and got resolved in about 15 days. Jain has explained that the unique 10-digit PNR number generated for every ticket is the code to access the details of the passengers’ names, age and gender. These data could be retrieved by the hacker through what is called “brute force” a method used in hacking to gain illegal access to data with the purpose of stealing it.    

Related Stories

No stories found.
The News Minute
www.thenewsminute.com