Udayavni Special

India’s largest e-ticketing platform fixes bug after school student raises alarm


PTI, Sep 21, 2021, 3:50 PM IST

Chennai: The Indian Railway Catering and Tourism Corporation Ltd. (IRCTC) fixed a bug on its e-ticketing platform after a plus two lad from the city raised an alarm over the presence of Insecure direct object references (IDOR) – a type of access control vulnerability in the booking site.

The IT wing of the IRCTC which took note of the complaint, immediately resolved the vulnerability issue that has been reported, a senior official said on Tuesday.

“Our e-ticketing system is well protected (now). The issue was reported on August 30 and it was fixed on September 2,” he added.

The IDOR, a type of access control vulnerability, arises when an application uses user-supplied input to access objects directly. “I accidently discovered a critical IDOR that leaks the transaction details of millions of travelers, when I was trying to book tickets on August 30. It was the most common bug. Immediately, I reported about it to the Indian Computer Emergency Response Team (CERT-In),” P Renganathan, a plus-two student of a private school in Tambaram here, said.

“I’ve discovered a critical IDOR that leaks the transaction details of millions of travelers. Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another’s tickets, you will get all the sensitive details. You can also cancel someone’s ticket or do anything malicious,” he said in an email complaint to CERT-In, under the Union Ministry of Electronics and Information Technology.

As a mitigation, Renganathan who identifies himself as ethical hacker and cyber security researcher, said that the booked user and ticket should be validated so that no one else can access it except the booked user.

On September 11, 2021, he received a mail thanking him for reporting the incident to CERT-In and also a confirmation that the “reported vulnerability has been resolved” by the authorities concerned.

Renganathan, currently pursuing commerce group, has been acknowledged by LinkedIn, United Nations, BYJU’s, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.

Schools across Tamil Nadu re-opened only for classes ninth to twelfth on September 1. “I have opted for online classes owing to the pandemic,” he said.

Udayavani is now on Telegram. Click here to join our channel and stay updated with the latest news.

Top News

We are not anti-Muslim: Union minister Prahlad Joshi

Bengaluru: Activists to perform ‘Pothole pooja’ to embarrass govt

The ‘Passive Voice’: Will Team India mentorship help Dhoni set CSK dug-out template in coming years?

Puttur: RSS leader accused of raping minor Dalit girl; Dalit organizations demand strict action

BJP mocks CWC as ‘parivar bachao working committee’, slams it for not reacting to Singhu killing

Elections to Congress president’s post to be held in September 2022: Sources

Kerala rains: Atleast 10 missing in Kottayam, IAF assistance sought

Related Articles More

Man arrested for selling church property worth more than Rs 50 crore

Sasikala visits Jaya mausoleum, keeps alive her bid to make a political comeback

Fake currency racket busted in UP, 3 arrested

‘Hindutva facing threat from neo Hindus, not outsiders’: Uddhav’s barbs at BJP

Steady Covid vaccination pace among reasons behind low daily cases in Delhi, say experts

MUST WATCH

NEWS BULLETIN 16-10-2021

Rescue work at Kapu

Mysore Dasara 2021 Jamboo Savari

Mylaralinga Swamy Temple Pallaki Chariot

Vijayadashami Celebration at Humnabad


Latest Additions

Man arrested for selling church property worth more than Rs 50 crore

We are not anti-Muslim: Union minister Prahlad Joshi

Sasikala visits Jaya mausoleum, keeps alive her bid to make a political comeback

Bengaluru: Activists to perform ‘Pothole pooja’ to embarrass govt

The ‘Passive Voice’: Will Team India mentorship help Dhoni set CSK dug-out template in coming years?

Thanks for visiting Udayavani

You seem to have an Ad Blocker on.
To continue reading, please turn it off or whitelist Udayavani.