Chennai schoolboy flags bug on IRCTC website, prevents major security breach

In what prevented the personal data of millions of Indians from being leaked, a 17-year-old school student from Chennai has identified and flagged a virus in website of the Indian Railways Catering and Tourism Corporation (IRCTC).

According to reports P Renganathan, a class 12 student from Chennai’s Tambaram on August 30 had raised the issue with the Computer Emergency Response Team (CERT), which in turn informed the IRCTC about it.

IRCTC has acknowledged the bug and fixed it.

Renganathan has told media outlets that he discovered the issue while trying to book a ticket on the IRCTC portal a few days back. Reports said he found Insecure Object Direct References vulnerability on the ticketing platform which had potential to endanger the website’s security features and could have leaked the data of several users. Renganathan himself was able to access data about other passengers including their name, age and train and PNR details.

Also read: Indian hacker wins ₹21L bounty for tracking down Instagram bug

He told The Hindu that any hacker could have taken advantage of the vulnerability and cancelled the ticket of a passenger without their knowledge.

“Since the backend code is the same, a hacker would have been able to order food, change the boarding station and even cancel the ticket without the knowledge of the bona fide passenger. Other services like domestic/international tourism, bus tickets and hotel bookings would have been possible in the user profile of other passengers. Most importantly, there was a risk of a huge database of millions of passengers getting leaked,” The Hindu quoted him as saying.