Bengaluru resident and software engineer Nandan Kumar shared that he hacked into the website of airline IndiGo to access details of another passenger with whom his bag got accidentally exchanged. In a Twitter thread, Nandan shared that he travelled from Patna to Bengaluru onboard Indigo 6E-185 on March 27. On arrival, his luggage got exchanged with that of another passenger. “It was an honest mistake from both our ends. As the bags (were) exactly the same with some minor differences,” Nandan wrote.
Only after he reached home did he realise that his luggage had been switched. “My wife pointed out that the bag seems to be different from ours as we don’t use key based locks in our bags.”
Nandan then tried to call the IndiGo customer care. However, after multiple calls and a long wait, Nandan got in touch with a customer care executive, who tried to get in touch with the other passenger. However, the issue was not resolved as attempts to get the other passenger on a conference call went in vain. Nandan added that the customer care team refused to give him information about the other passenger, citing privacy and data protection. The customer care executive then offered to get back to him after getting in touch with the other passenger.
“After the call did not work, the agent assured me that they will call me back when they are able to reach the other person,” Nandan wrote, adding that over 24 hours had passed but he did not receive any word on his luggage.
That’s when Nandan decided to take the matter into his own hands. He tried to type out the co-passenger’s PNR number — which was stamped on the baggage tag — to find their address or number from IndiGo’s website. However, nothing worked. Which is when Nandan decided to try a more unorthodox approach.
“After all the failed attempts, my dev instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole checkin flow with network log record on,” Nandan wrote.
“And there in one of the network responses was the phone number and email Id of my co-passenger,” Nandan said, calling this his “low-key hacker moment” and a ray of hope. Nandan made note of the details, finally got in touch with the co-passenger, and decided to meet to get his luggage back.
And there in one of the network responses was the phone number and email I’d of my co-passenger.
— Nandan kumar (@_sirius93_) March 28, 2022
Ah this was my low-key hacker moment and the ray of hope.
I made note of the details and decided to call the person and try to get the bags swapped. #dev #dataleak #bug pic.twitter.com/9l4pmNDk6V
“And thankfully I was able to reach my co passenger with the phone number I got from the logs and luckily we lived in a close proximity of 6-7 kms. So we decided to meet at a Center point and got our bags swapped,” Nandan tweeted, also drawing IndiGo’s attention to the vulnerabilities on the website that helped him access the data of other passengers.
“Dear @IndiGo6E take note. 1. Fix your IVR and make it more user friendly 2. Make your customer service more proactive than reactive 3. Your website leaks sensitive data get it fixed,” Nandan tweeted.
Fun Fact:
— Nandan kumar (@_sirius93_) March 28, 2022
When I asked my co passenger if he had got a call from indigo , he denied it saying he did not get any calls. While the agent claimed to me that They called three times. @IndiGo6E @Ankurkrtweets @scottishladki
After Nandan’s Twitter thread went viral, IndiGo issued a response that they have noted his feedback but denied that their website was compromised. In a statement, the airline said that it has a separate process for reporting mishandled baggage, and that the team found that Nandan had selected a different option during the recorded voice call with the customer care number.
“We tracked back and found that you selected 'flight info' and 'flight cancellation' instead of mishandled baggage as your query option on MR which took time connecting to our customer care team,” IndiGo said.
The airline also said that it did not divulge details about the other passenger in keeping with its data privacy policy. Hence, IndiGo said, its customer care team tried to arrange a conference call in order to facilitate the exchange of baggage.
“We’d also like to state that our IT processes are completely robust and at no point was the IndiGo website compromised. Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practised across all airline systems globally,” IndiGo added in the statement.
— IndiGo (@IndiGo6E) March 29, 2022