Sunday, February 9, 2025
HomeCyber Security NewsIRCTC Free Insurance Bug That Puts Millions of Passenger Data Under Risk

IRCTC Free Insurance Bug That Puts Millions of Passenger Data Under Risk

Published on

SIEM as a Service

Follow Us on Google News

IRCTC fixed a critical security bug that allows attackers to steal passengers private information such as name, age, gender and insurance without user consent.

It appears the vulnerability for more than two years, security researcher Avinash Jain found the vulnerability exists both with the IRCTC’s website and app that connects with the third party free insurance service.

According to the Economic Times report, the bug was reported to IRCTC on August 14 and it was fixed on August 29.

Within 10 minutes (after finding the bug) we were able to read almost 1,000 passenger and nominee information,” said Jain to Economic Times.

Three companies offering travel insurance service to IRCTC including ICICI Lombard General Insurance, Royal Sundaram General Insurance, and Shriram General Insurance.

The bug affects only the linkage to transact with the insurance company Shriram General Insurance and others are not affected.

After the booking of ticket, the nomination details to be filled at respective
Insurance Company site and encrypted transaction ID generated for the passengers.

Now in order to fetch the passenger details, we need to have Transaction ID or PNR number, but Jain said they able to fetch passenger details by decoding the transaction ID/PNR using brute force methods.

IRCTC issues more than 700,000 tickets every day, among that more than 62% of tickets are booked online.

Related Read

20,000 Users Affected With Air Canada Mobile App Data Breach

British Airways Hacked – More than 380,000 Payment Cards Compromised

Ransomware Attack Hits Bristol Airport, Flight Display Screens Went Offline

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...