This 17-Year Old Spots A Bug In IRCTC Website, Prevents Tons Of Data Breach

4 mins read

This 17-Year Old Spots A Bug In IRCTC Website, Prevents Tons Of Data Breach

A 17-year-old school student from Chennai spotted a bug in the Indian Railway Catering and Tourism Corporation (IRCTC) website. As per the reports, the identified security flaw could reveal the private information of millions of passengers. The Computer Emergency Response Team (CERT), set up by the Ministry of Electronics and Information Technology, acknowledged the vulnerability immediately and fixed it five days later, thus preventing the potential hack of its users’ records from the online ticket reservation portal in India.

Meet P Renganathan

P Renganathan is a class-12 commerce student from Tambaram, who developed an interest in ethical hacking and cybersecurity during the lockdown due to Covid-19 pandemic. As per the reports he said that he was able to access valuable data such as passenger’s name, gender, age, PNR number, train details, departure station and the data of journey, due to the critical Insecure Object Direct References (IDOR) vulnerability on the platform. “This is a common vulnerability that developers often seem to overlook and this can cause serious threats to the data on the server”, he said. Furthermore, he could also change the boarding station and even cancel the entire trip of the passenger and order food, without their knowledge.

According to a story in The Hindu, he discovered the issue when trying to reserve a train ticket online through the IRCTC portal and discovered security vulnerabilities in the online system that might lead to the hacking of vital passenger data. After a week, Renganatham received a letter stating that the problem had been resolved and thanking him for his efforts.

Other bugs that Renganatham got fixed!

This was not the first time Renganatham got a bug fixed. In fact, he also found security bugs on Byjus, LinkedIn, Nike and other websites from the United States. In October 2020 he found a bug on LinkedIn which enabled him to crash a user's phone with an invitation email! So far, Renganathan has received monetary compensation of more than $100 and many letters of appreciation from various companies.

While there are many bug bounty hunters who are constantly watching for such bugs on online platforms, most of the efforts are directed at websites that fall out of the Indian jurisdiction. Renganatham said that this happens because countries like the Netherlands and the US offer monetary compensations or some cool merchandise like t-shirts for their appreciable and valuable work. “However, in India, all we get is an appreciation email,” he said. “In fact, in the US, the Department of Defence, runs a programme of disclosure and the names of such ethical hackers are added to a wall of fame on Hackerone” he added.

Also Read: This 20 year old Indian girl gets awarded INR 22 lakhs by Microsoft for finding a bug

The issue got resolved in time!

IRCTC's PRO Anand Kumar Jha said, “Railways E-ticketing system is a well-protected system equipped with state of the art cyber security technologies at Network, System and Application layers. The system has been regularly audited by third-party security auditors for security vulnerabilities. The website ensures secure data transfer with its users and payment gateways/ Banks with end to end data encryption. However, as and when any bugs and vulnerabilities are reported from any quarters, it is taken up and resolved.”