India’s largest ecommerce website, IRCTC or Indian Railways Catering and Tourism Corporation, the subsidiary of Indian Railway and run by Ministry of Railway is the cornerstone of affordable travel in India. IRCTC handles the catering, tourism and online ticketing operations of Indian Railways, involving about 600,000 ticket bookings daily. As per IRCTC’s annual report for 2016-17, e-ticketing accounted for 62% of reserved railway tickets in India, with more than 573,000 tickets sold daily through the IRCTC website. The Indian Computer Emergency Response Team (CERT-In), the agency that handles cybersecurity threats, had 53,081 reported incidents in the country in 2017.
The bug was first reported by Fossbyte. According to them, the website was previously hacked in 2016 when the details of over 1 crore users were leaked. This bug was found by Ronnie T Baby, a college student from Karunya University. The bug in the website was found in its reset password option that automatically sent an OTP to the registered mobile number once user ID was entered. The site did have a captcha to prevent any brute-forcing attempts but allowed the reuse of captchas for infinite requests. This weakness allowed attackers to brute-force OTP and log into users’ accounts. Once logged in, attackers could gain access to sensitive user details and the confidential travel information of lakhs of people, including details like emails, numbers, and addresses. Brute-forcing attacks involve the use of a large database of passwords that are used to systematically find the correct passkey. The OTPs make it easy to hack into the account, due to the matrix combination and the incredible computing power of modern PCs.
The vulnerability said to have exposed at least 2,00,000 (2 lakh) passengers and their nominee details to attackers, although it is not confirmed if the data was actually accessed or not. According to the report, the vulnerability was found in IRCTC’s website and mobile app link that connects to a third-party insurance company for free travel insurance. A service that IRCTC introduced in December 2016. Following which, it stopped free mandatory travel insurance from September 1, allowing users to chose to either opt-in or opt-out of travel insurance.
IRCTC has not commented on the matter or explained if any accounts were really compromised from the exploitation of the bug. The important thing to note here is that the issue was reported to IRCTC on January 19 and then in about less than a month, IRCTC fixed the problem on February 12 with a proper captcha verification.
An IRCTC spokesperson denies that there was any vulnerability on its website. “There is no bug (on the website) so there is no question of fixing it,” the spokesperson said.
“There is no bug (on the website) so there is no question of fixing it,” the spokesperson said.