Researcher: IRCTC Website Had Vulnerability for 2 YearsPersonal Details of Millions Leaked Online, Researcher Claims
The Indian Railway Catering and Tourism Corp., a subsidiary of the Indian Railways that handles catering, tourism and online ticketing operations, took two years to fix a security vulnerability that could have given hackers access to the personal information of passengers, according to a security researcher.
About 5.5 million to 6 million bookings are made each day on the website, according to IRCTC (see: IRCTC Denies Hack, But Leaked Data Could Be Genuine).
It is not known yet whether any passenger details were stolen. But Avinash Jain, a security researcher who discovered the vulnerability, says that data of millions of passengers could have been leaked. The leaked data included date of birth, address, phone number and email ID of passengers, he says.
Information Security Media Group reached out to IRCTC to obtain more details about the incident but did not receive a response.
Jain tells ISMG that he along with another security researcher found and reported the vulnerability to IRCTC and CERT-In on Aug. 14. "We got response from CERT-In and finally they fixed the bug on August 29."
"After lot of research we concluded that the vulnerability had gone unnoticed for two years," Jain says.
The incident reflects a lack of adequate attention to security issues, says Dinesh O. Bareja, COO at Open Security Alliance.
"This is clearly an attitude problem, and this a systemic issue across all large enterprises in government as well as sometimes in private sectors," Bareja contends.
The vulnerability was found in IRCTC's website and mobile app link that connects to a third-party insurance company for free travel insurance, Jain says.
In December 2016, IRCTC introduced free travel insurance for those who booked tickets through its website or mobile app, according to a report in Economic Times. IRCTC made travel insurance mandatory for passengers, and their personal details were automatically transmitted to third-party insurers without their knowledge, according to Jain.
Jain told the Economic Times how he was able to crack the system: "To get the personal details of a traveler, we needed a valid combination of the transaction ID and passenger name record number," Jain said. "We were able to fetch details of any passenger by decoding the encrypted data (transaction ID/PNR) through brute force."
IRCTC discontinued mandatory travel insurance for passengers after the vulnerability was reported, Jain says.
Although three companies offer rail travel insurance to IRCTC passengers, the vulnerability was found only in the link to one of them, Jain says.
Prakash Kumar Ranjan, a security practitioner with a public sector bank based in Bengaluru, says the discovery of the vulnerability likely means that IRCTC did not conduct a thorough security audit for the link function.
"Had they conducted the thorough testing, the vulnerability would have been mitigated," he says. "A simple brute force attack resulted in the exposure of the PNR. Even the encryption used was weak; they could have used strong encryption algorithm both in transit and rest."
IRCTC did not respond to a query by Information Security Media Group seeking more details on this.
Jain claims that IRCTC did not reward him for finding the vulnerability or recognize his efforts. "IRCTC informed that do not have a bug bounty program and neither do they have a system to reward ethical hackers. If this is their attitude, will any ethical hacker ever help them?"
India lacks laws that protect researchers who expose security flaws. The Information Technology Act makes it clear that anyone who gains unauthorized access to a computer resource could face punishment.
Bareja argues that the government should start bug bounty program and strive for responsible disclosure of vulnerabilities.
"The multinational companies are saving millions of dollars by leveraging bug bounties, whereas our [government] leaders are stuck in their legacy mindset," he claims. "There is a huge infrastructure that they are responsible for, and this is also a national responsibility that they carry. Every such bug notification must be taken as a learning [experience] to update their people, process and technology."