Software Engineer Shows His Skills! Hacks Indigo's Website To Retrieve Lost Luggage
Nandan Kumar, a 28 years old software engineer who was traveling from Patna to Bangalore on an Indigo flight, swapped his luggage with a co-passenger by mistake. When he asked Indigo customer service for help, they refused to provide the contact information of the person on the pretext that it would be a violation of privacy.
(Image: Nandan Kumar, sourced via BBC)
Nandan, however, faced this dilemma head-on and hacked the Indigo website to retrieve the details of the person with whom he had swapped luggage. They then met and exchanged suitcases, resulting in a normal ending to an incredible story.
Hey @IndiGo6E ,
— Nandan kumar (@_sirius93_) March 28, 2022
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty ๐๐ 1/n
Nandan Kumar narrated the incident in a series of tweets on March 28th, 2022, and it was immediately a big hit with Twitteratis.
Indigo confirmed in a statement that it was not a malicious attack, and a source from the company explained to the BBC that "at no point was the Indigo website compromised."
Privacy Concern For Flyers
As the news started going viral, Nandan wrote several more tweets explaining how journey details like PNR numbers and flyer names can compromise the privacy of flyers.
"My only suggestion to fellow passengers is to please do not share your boarding pass photos of your PNR details on social media or public domain," he wrote on Twitter. "And I hope airlines take all these things into account and do something about it, i.e. encrypt the data being sent over the network," he added.
And there in one of the network responses was the phone number and email I’d of my co-passenger.
— Nandan kumar (@_sirius93_) March 28, 2022
Ah this was my low-key hacker moment ๐๐ and the ray of hope.
I made note of the details and decided to call the person and try to get the bags swapped. #dev #dataleak #bug pic.twitter.com/9l4pmNDk6V
In some cases, Nandan wrote, the phone number and the email ids are visible on the screen itself. Even though that was not the case with his co-passenger, in those cases it's even easier for people with malicious intent to get the flyers' details.
He also pointed out that when one accesses the network response, details like the address entered during a hotel check-in (like home/ hotel/ AirBNB) can also be accessed. Luggage details with id and the weight of the luggage can also be easily available.
How The Co-Passenger Reacted
Funnily enough, when he asked his co-passenger about the incident, Nandan realized that the person had not even realized that the luggage had been exchanged until Nandan called him and explained the scenario.
As a word of advice for flyers, Nandan tweeted the following list of advice for Indigo.
Dear,@IndiGo6E take note
— Nandan kumar (@_sirius93_) March 28, 2022
1. Fix your IVR and make it more user friendly
2. Make your customer service more proactive than reactive
3. Your website leaks sensitive data get it fixed.
"He was also surprised at how did I get his number, had to explain that to him too," Nandan said, "but in the end we both were happy".
You might also be interested in reading.
- From Being A Farmer’s Son To A Corporate Legend: This Padma Bhushan Awardee Was Once A TCS Intern!
- From IIT-Delhi to Stand-Up Comedy: The Journey Of One of India's Favorite Engineer-Turned-MBA Stand Up Comic
- Introducing Bhailang, The Programming Language Everyone’s Obsessed With
- Meet Sreenath K - A 'Coolie' Who Cracked UPSC (IAS) Using Free Wi-Fi