A 17-year-old boy find bug in the IRCTC system, a huge benefit to millions of passengers, see details

A 17-year-old schoolboy has helped fix a flaw on the Indian Railway Catering and Tourism Corporation’s (IRCTC) online ticketing platform, saving millions of passengers’ personal information from going viral. P. A security researcher named Renganathan alerted the computer emergency response team to India’s railway ticket booking platform IRCTC, provided details about the bug (vulnerability) and saved the data of several users from being leaked. See details.

12th standard student of a private school in Tambaram, Chennai. According to Rengnathan, few days ago, he was logging on to the IRCTC portal and booking a train ticket, when he found some errors in it that could have compromised security features. Critical Insecure Object Direct Reference (IDOR) vulnerabilities on the website allow them to obtain travel details of other passengers such as name, gender, age, PNR number, train details, place of departure and date of travel. Renganathan said that because the back-end code was the same, hackers were able to order food, change boarding stations and even cancel tickets without passenger information. Most importantly, the database of millions of passengers was at risk of being leaked.


Problems solved in this way:

On August 30, 2021, Renganathan informed CERT about the bug in IRCTC. His CERT created a query ticket for him in a matter of minutes. Renganathan explained that, five days later, the bug was fixed and the IRCTC accepted the bug. Renganathan says he has received acknowledgments from LinkedIn, the United Nations, Nike and Lenovo for reporting security vulnerabilities on their web applications. Renganathan wants to pursue a career in computer science, continuing his research into the security of web applications.

Leave a Reply

Your email address will not be published.

%d bloggers like this: