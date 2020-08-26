Security flaw on Railyatri could have breached data of 7 lakh people

Atom Security

The data of 7 lakh Indians and over 37 lakh records was exposed after a security breach at RailYatri, an online travel marketplace primarily for information related to the Railways and purchasing of tickets. Revealed by Safety Detectives, the report said that in the data breach, all production server information was exposed, and 43 GB of data was lost.

The firm’s elastic search server was not password protected or encrypted and was available for access by anyone who had the server’s IP address. Information that was exposed included full names, age, gender, address and email address, phone numbers, payment logs, partial records of credit and debit card information, UPI ID, train and bus ticket booking details, travel itinerary information, users GPS location, user session logs including login times and more. Booking log showing full passenger details was leaked, Safety Detectives said.

Safety Detectives also said that three days after they detected the vulnerability, “the server became the target of a Meow bot attack, leading to the deletion of almost all server data.”

A Meow bot attack is an automated attack script that attacks open databases online and overwrites the data.

The report by Safety Detectives said that RailYatri’s database size had come down to just 1GB from 43GB. “At the most recent check done on 13 August 2020, the database’s size had shrunk from 43GB to 1GB, although new data is being added on a daily basis,”

Safety Detectives said that after it was first discovered, it informed RailYatri, but as it didn’t receive a response, it reported its findings to the Computer Emergency Response Team (CERT-In), India’s nodal agency to deal with issues of cybersecurity. After this, the server was secured the next day, the report said.

According to the report, the most damaging information was the partial payment information. It said that the name on the card, the first and last four digits of the card, the bank which issued it and the expiry were accessible.

“Thankfully, the leaked payment information was suppressed to reveal only partial copies of card numbers. This drastically reduces the chance of a malicious financial scam; however, resourceful hackers could still use the information on the server to launch phishing scams to induce victims to hand over their financial information,” Safety Detectives said.

In a statement to NDTV Gadgets 360, RailYatri said that the server in question was a test server and some of their logs were replicated.

“As a general protocol, any and all data older than 24 hours are automatically deleted from the server. Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in three days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data,” it said.

It also claimed that it does not store financial or other sensitive information except for partial data.

“We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data,” it claimed.