When 17-year-old P. Renganathan from Chennai, Tamil Nadu was trying to book a train ticket for one of his family members, he discovered a fatal flaw in IRCTC's website.
The teen's hacker sense led him to a huge vulnerability on Indian Railway Catering and Tourism Corporation's (IRCTC) website which could have compromised data of millions of its users.?"I was booking a ticket for one of my family members, I had an instinct that this particular bug called IDOR would be present for sure. It is a very common flaw found on applications like IRCTC", Renganathan told Indiatimes.
On September 23, Renganathan was invited by Tamil Nadu's?Minister for Information Technology,?Thiru T. Mano Thangaraj to acknowledge the teenager's efforts in preventing a data leak from IRCTC's database.
The teenage tech wizard was then able to find the flaw in 5 minutes. "After booking the ticket, it took me five minutes to find this flaw", he told Indiatimes.
In Renganathan's words, he simply went to the booking ticket history option on IRCTC portal and accessed the transaction ID which is written into the server through a backend code.?
With the 13 digital transaction ID and assistance from a tool, Renganathan was able to access tickets of other passengers, along with their personal details. In the code, he changed the basic numerical value that may be randomly assigned to all tickets, giving him access to essentially everything.
Also read:?16-Year-Old Pune Teen Captured Jupiter & Saturn On His Camera: He Shares With Us How He Did It
After making a few tweaks in the code of the website's ticket booking portal, Renganathan found that he was able to access random transacation and ticket details of the passengers including train number, departure time, PNR number, status of the ticket, personal information of the passenger including names, gender and age.
While the 17-year-old's intentions were noble, other hackers may not be so benevolent. Renganathan explained to Indiatimes how black hat hackers could have "written a script that would have cancelled passenger tickets of 100,000 or a million people in a few minutes... even seconds". In addition, he claimed that criminal hackers could have scrapped all user data to be later sold on the dark web in exchange for any cryptocurrency like bitcoin.
"But I have stopped this [attack]", Renganathan gleefully added while urging IRCTC authorities to check for "illegal activities that may have been done before" he discovered the flaw.
In fact, Renganathan is not so sure that IRCTC is out of the woods yet. Even though a fix has been initiated, a black hat hacker could easily bypass their fix, Renganathan suggested, while adding "they need to do more to close all the gaps".?In the wrong hands, such access could have halted India's connecting lifelines - tickets could be cancelled, destinations changed. On a large scale, the whole IRCTC operation could have been gutted had the vulnerability not been identified by Renganathan.
After detection from Renganathan, the flaw was acknowledged and fixed by IRCTC's CERT team in five days. But Renganathan believes there's a lot to be done yet for ethical hackers in India.?"India has got a huge number of ethical hackers and security researchers. They can invite all of them [to seek help]", he said while referring to a single-line thank you e-mail which he received from IRCTC as acknowledgment.
"Ethical hackers could receive more recognition than just a thanks mail from the CERT team", he added, while referring to the Hall Of Fame recognition that he had received from the United Nations for gaining access to their internal coding projects including database passwords.?"I reported the issue to them on December 4, 2020 and I was acknowledged in the United Nations Hall Of Fame on January 15", Renganathan said. He added that many companies that receive such tips from ethical hackers like himself fail to acknowledge the hacker and simply fix the issue on their end.
Also read:?Hacker Behind Largest Cryptocurrency Theft In History Returns Over $200 Million
Currently in the final year of school, Renganathan has also found a flaw in LinkedIn wherein he caused the application to crash. "On LinkedIn, I found a vulnerability in their mobile application... Anyone can send a connection request with a personalised note of 300 letters... I was able to bypass this character limit with 100,000 characters". Our phones cannot render such huge characters, so every time a user clicked on his connection request message, the LinkedIn app would crash.
As for the IRCTC vulnerability, the agency has fixed the data flaw for now. But as we step into the world of digital doomsday, such loopholes in large databases could leak the personal details of millions of Indians. Until then, let's hope the country is being protected by a fleet of young ethical hackers like Renganathan.
For more on the latest coming in from the world of science and technology, keep reading Indiatimes.com.