IRCTC fixed a critical security bug that allows attackers to steal passengers private information such as name, age, gender and insurance without user consent.
It appears the vulnerability for more than two years, security researcher Avinash Jain found the vulnerability exists both with the IRCTC’s website and app that connects with the third party free insurance service.
According to the Economic Times report, the bug was reported to IRCTC on August 14 and it was fixed on August 29.
Within 10 minutes (after finding the bug) we were able to read almost 1,000 passenger and nominee information,” said Jain to Economic Times.
Three companies offering travel insurance service to IRCTC including ICICI Lombard General Insurance, Royal Sundaram General Insurance, and Shriram General Insurance.
The bug affects only the linkage to transact with the insurance company Shriram General Insurance and others are not affected.
After the booking of ticket, the nomination details to be filled at respective
Insurance Company site and encrypted transaction ID generated for the passengers.
Now in order to fetch the passenger details, we need to have Transaction ID or PNR number, but Jain said they able to fetch passenger details by decoding the transaction ID/PNR using brute force methods.
IRCTC issues more than 700,000 tickets every day, among that more than 62% of tickets are booked online.